VARIoT IoT vulnerabilities database
VAR-200605-0220 | CVE-2006-1461 | Apple QuickTime Flash the film Multiple buffer overflow vulnerabilities |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Multiple buffer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime Flash (SWF) file. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software.
Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
For more information, please refer to the Vulnerability Notes.
II. For further information,
please see the Vulnerability Notes.
III.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
Appendix A. Please send
email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo
9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME
yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11
uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg
oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2
eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg==
=LsFu
-----END PGP SIGNATURE-----
. ____________________________________________________________________
McAfee, Inc.
McAfee Avert\x99 Labs Security Advisory
Public Release Date: 2006-05-11
Apple QuickDraw/QuickTime Multiple Vulnerabilities
CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465
______________________________________________________________________
* Synopsis
Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data.
Two code execution vulnerabilities are present in QuickDraw PICT image format support.
Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium.
CVE-2006-1459
Seven integer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1460
Five buffer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1462
Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support.
CVE-2006-1464
One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support.
CVE-2006-1465
One buffer overflow vulnerability is present in QuickTime AVI video format support.
______________________________________________________________________
* Legal Notice
Copyright (C) 2006 McAfee, Inc.
The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes.
McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
______________________________________________________________________
.
1) An integer overflow error within the processing of JPEG images can
be exploited via a specially crafted JPEG image to crash the
application and potentially execute arbitrary code.
4) An integer overflow and boundary error within the processing of
H.264 movies can be exploited via a specially crafted H.264 movie to
crash the application and potentially execute arbitrary code.
5) A boundary error within the processing of MPEG4 movies can be
exploited via a specially crafted MPEG4 movie to crash the
application and potentially execute arbitrary code.
6) An integer overflow error within the processing of FlashPix images
(".fpx") can be exploited via a specially crafted FlashPix image with
an overly large value in the field specifying the number of data
blocks in the file.
7) A boundary error within the processing of AVI movies can be
exploited via a specially crafted AVI movie to crash the application
and potentially execute arbitrary code.
8) Two boundary errors within the processing of PICT images can be
exploited to either cause a stack-based via a PICT image with
specially crafted font information or a heap-based buffer overflow
via a PICT image with specially crafted image data. This can be
exploited to crash the application and potentially execute arbitrary
code.
9) A boundary error within the processing of BMP images can be
exploited via a specially crafted BMP image to crash the application
and potentially execute arbitrary code.
SOLUTION:
Update to version 7.1.
http://www.apple.com/support/downloads/quicktime71.html
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs.
3) Mike Price, McAfee AVERT Labs.
4) Mike Price of McAfee AVERT Labs and ATmaCA.
5) Mike Price, McAfee AVERT Labs.
6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT
Labs.
7) Mike Price, McAfee AVERT Labs.
8) Mike Price, McAfee AVERT Labs.
9) Tom Ferris
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303752
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060511.html
Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-015.html
Sowhat:
http://secway.org/advisory/AD20060512.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0216 | CVE-2006-1457 | Apple Safari fails to properly handle archive files containing symbolic links |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
Safari on Apple Mac OS X 10.4.6, when "Open `safe' files after downloading" is enabled, will automatically expand archives, which could allow remote attackers to overwrite arbitrary files via an archive that contains a symlink. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0214 | CVE-2006-1455 | Apple QuickTime QuickTime Streaming Server Denial of service vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
QuickTime Streaming Server in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to cause a denial of service (crash and connection interruption) via a QuickTime movie with a missing track, which triggers a null dereference. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0221 | CVE-2006-1462 | Apple QuickTime H.264 the film Integer overflow or buffer overflow vulnerability |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Multiple integer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime H.264 (M4V) video format file. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software.
Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
For more information, please refer to the Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities could allow an remote,
unauthenticated attacker to execute arbitrary code or commands, and
cause a denial-of-service condition. For further information,
please see the Vulnerability Notes.
III.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
Appendix A. Please send
email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo
9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME
yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11
uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg
oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2
eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg==
=LsFu
-----END PGP SIGNATURE-----
. ____________________________________________________________________
McAfee, Inc.
McAfee Avert\x99 Labs Security Advisory
Public Release Date: 2006-05-11
Apple QuickDraw/QuickTime Multiple Vulnerabilities
CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465
______________________________________________________________________
* Synopsis
Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data.
Two code execution vulnerabilities are present in QuickDraw PICT image format support.
Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium.
CVE-2006-1460
Five buffer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1461
Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support.
CVE-2006-1464
One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support.
CVE-2006-1465
One buffer overflow vulnerability is present in QuickTime AVI video format support.
______________________________________________________________________
* Legal Notice
Copyright (C) 2006 McAfee, Inc.
The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes.
McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
______________________________________________________________________
.
TITLE:
QuickTime Multiple Code Execution Vulnerabilities
SECUNIA ADVISORY ID:
SA20069
VERIFY ADVISORY:
http://secunia.com/advisories/20069/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple Quicktime 4.x
http://secunia.com/product/7923/
Apple Quicktime 5.x
http://secunia.com/product/215/
Apple Quicktime 6.x
http://secunia.com/product/810/
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
3) A boundary error within the processing of Flash movies can be
exploited via a specially crafted Flash movie to crash the
application and potentially execute arbitrary code.
5) A boundary error within the processing of MPEG4 movies can be
exploited via a specially crafted MPEG4 movie to crash the
application and potentially execute arbitrary code.
6) An integer overflow error within the processing of FlashPix images
(".fpx") can be exploited via a specially crafted FlashPix image with
an overly large value in the field specifying the number of data
blocks in the file.
7) A boundary error within the processing of AVI movies can be
exploited via a specially crafted AVI movie to crash the application
and potentially execute arbitrary code.
8) Two boundary errors within the processing of PICT images can be
exploited to either cause a stack-based via a PICT image with
specially crafted font information or a heap-based buffer overflow
via a PICT image with specially crafted image data. This can be
exploited to crash the application and potentially execute arbitrary
code.
9) A boundary error within the processing of BMP images can be
exploited via a specially crafted BMP image to crash the application
and potentially execute arbitrary code.
SOLUTION:
Update to version 7.1.
http://www.apple.com/support/downloads/quicktime71.html
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs.
3) Mike Price, McAfee AVERT Labs.
4) Mike Price of McAfee AVERT Labs and ATmaCA.
5) Mike Price, McAfee AVERT Labs.
6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT
Labs.
7) Mike Price, McAfee AVERT Labs.
8) Mike Price, McAfee AVERT Labs.
9) Tom Ferris
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303752
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060511.html
Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-015.html
Sowhat:
http://secway.org/advisory/AD20060512.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0223 | CVE-2006-1464 | Apple QuickTime MPEG-4 movie buffer overflow |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickTime MPEG4 (M4P) video format file. Apple QuickTime fails to properly handle MPEG-4 movie files. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service condition. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software.
Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
For more information, please refer to the Vulnerability Notes.
II. For further information,
please see the Vulnerability Notes.
III.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
Appendix A. Please send
email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo
9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME
yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11
uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg
oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2
eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg==
=LsFu
-----END PGP SIGNATURE-----
. ____________________________________________________________________
McAfee, Inc.
McAfee Avert\x99 Labs Security Advisory
Public Release Date: 2006-05-11
Apple QuickDraw/QuickTime Multiple Vulnerabilities
CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465
______________________________________________________________________
* Synopsis
Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data.
Two code execution vulnerabilities are present in QuickDraw PICT image format support.
Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium.
CVE-2006-1461
Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support.
______________________________________________________________________
* Legal Notice
Copyright (C) 2006 McAfee, Inc.
The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes.
McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
______________________________________________________________________
.
TITLE:
QuickTime Multiple Code Execution Vulnerabilities
SECUNIA ADVISORY ID:
SA20069
VERIFY ADVISORY:
http://secunia.com/advisories/20069/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple Quicktime 4.x
http://secunia.com/product/7923/
Apple Quicktime 5.x
http://secunia.com/product/215/
Apple Quicktime 6.x
http://secunia.com/product/810/
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
3) A boundary error within the processing of Flash movies can be
exploited via a specially crafted Flash movie to crash the
application and potentially execute arbitrary code.
6) An integer overflow error within the processing of FlashPix images
(".fpx") can be exploited via a specially crafted FlashPix image with
an overly large value in the field specifying the number of data
blocks in the file.
7) A boundary error within the processing of AVI movies can be
exploited via a specially crafted AVI movie to crash the application
and potentially execute arbitrary code.
8) Two boundary errors within the processing of PICT images can be
exploited to either cause a stack-based via a PICT image with
specially crafted font information or a heap-based buffer overflow
via a PICT image with specially crafted image data.
9) A boundary error within the processing of BMP images can be
exploited via a specially crafted BMP image to crash the application
and potentially execute arbitrary code.
SOLUTION:
Update to version 7.1.
http://www.apple.com/support/downloads/quicktime71.html
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs.
3) Mike Price, McAfee AVERT Labs.
4) Mike Price of McAfee AVERT Labs and ATmaCA.
5) Mike Price, McAfee AVERT Labs.
6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT
Labs.
7) Mike Price, McAfee AVERT Labs.
8) Mike Price, McAfee AVERT Labs.
9) Tom Ferris
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303752
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060511.html
Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-015.html
Sowhat:
http://secway.org/advisory/AD20060512.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0211 | CVE-2006-1452 | Apple Mac OS Preview Stack overflow vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Stack-based buffer overflow in Preview in Apple Mac OS 10.4 up to 10.4.6 allows local users to execute arbitrary code via a deep directory hierarchy. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0215 | CVE-2006-1456 | Apple Mac OS X QuickTime Streaming Server Buffer overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in QuickTime Streaming Server in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to execute arbitrary code via a crafted RTSP request, which is not properly handled during message logging. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0218 | CVE-2006-1459 | Apple QuickTime QuickTime the film Integer overflow or buffer overflow vulnerability |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Multiple integer overflows in Apple QuickTime before 7.1 allow remote attackers to cause a denial of service or execute arbitrary code via a crafted QuickTime movie (.MOV). Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software.
Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
For more information, please refer to the Vulnerability Notes.
II. For further information,
please see the Vulnerability Notes.
III.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
Appendix A. Please send
email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo
9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME
yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11
uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg
oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2
eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg==
=LsFu
-----END PGP SIGNATURE-----
. ____________________________________________________________________
McAfee, Inc.
McAfee Avert\x99 Labs Security Advisory
Public Release Date: 2006-05-11
Apple QuickDraw/QuickTime Multiple Vulnerabilities
CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465
______________________________________________________________________
* Synopsis
Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data.
Two code execution vulnerabilities are present in QuickDraw PICT image format support.
Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium.
CVE-2006-1459
Seven integer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1460
Five buffer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1461
Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support.
CVE-2006-1462
Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support.
CVE-2006-1464
One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support.
CVE-2006-1465
One buffer overflow vulnerability is present in QuickTime AVI video format support.
______________________________________________________________________
* Legal Notice
Copyright (C) 2006 McAfee, Inc.
The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes.
McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
______________________________________________________________________
.
TITLE:
QuickTime Multiple Code Execution Vulnerabilities
SECUNIA ADVISORY ID:
SA20069
VERIFY ADVISORY:
http://secunia.com/advisories/20069/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple Quicktime 4.x
http://secunia.com/product/7923/
Apple Quicktime 5.x
http://secunia.com/product/215/
Apple Quicktime 6.x
http://secunia.com/product/810/
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
3) A boundary error within the processing of Flash movies can be
exploited via a specially crafted Flash movie to crash the
application and potentially execute arbitrary code.
5) A boundary error within the processing of MPEG4 movies can be
exploited via a specially crafted MPEG4 movie to crash the
application and potentially execute arbitrary code.
6) An integer overflow error within the processing of FlashPix images
(".fpx") can be exploited via a specially crafted FlashPix image with
an overly large value in the field specifying the number of data
blocks in the file.
7) A boundary error within the processing of AVI movies can be
exploited via a specially crafted AVI movie to crash the application
and potentially execute arbitrary code.
8) Two boundary errors within the processing of PICT images can be
exploited to either cause a stack-based via a PICT image with
specially crafted font information or a heap-based buffer overflow
via a PICT image with specially crafted image data. This can be
exploited to crash the application and potentially execute arbitrary
code.
9) A boundary error within the processing of BMP images can be
exploited via a specially crafted BMP image to crash the application
and potentially execute arbitrary code.
SOLUTION:
Update to version 7.1.
http://www.apple.com/support/downloads/quicktime71.html
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs.
3) Mike Price, McAfee AVERT Labs.
4) Mike Price of McAfee AVERT Labs and ATmaCA.
5) Mike Price, McAfee AVERT Labs.
6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT
Labs.
7) Mike Price, McAfee AVERT Labs.
8) Mike Price, McAfee AVERT Labs.
9) Tom Ferris
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303752
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060511.html
Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-015.html
Sowhat:
http://secway.org/advisory/AD20060512.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0206 | CVE-2006-1447 | Apple Mac OS X LaunchServices Input validation vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
LaunchServices in Apple Mac OS X 10.4.6 allows remote attackers to cause Safari to launch unsafe content via long file name extensions, which prevents Download Validation from determining which application will be used to open the file. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0219 | CVE-2006-1460 | Apple QuickTime QuickTime the film Multiple buffer overflow vulnerabilities |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Multiple buffer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime movie (.MOV), as demonstrated via a large size for a udta Atom. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software.
Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
For more information, please refer to the Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities could allow an remote,
unauthenticated attacker to execute arbitrary code or commands, and
cause a denial-of-service condition. For further information,
please see the Vulnerability Notes.
III.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
Appendix A. Please send
email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo
9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME
yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11
uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg
oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2
eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg==
=LsFu
-----END PGP SIGNATURE-----
. ____________________________________________________________________
McAfee, Inc.
McAfee Avert\x99 Labs Security Advisory
Public Release Date: 2006-05-11
Apple QuickDraw/QuickTime Multiple Vulnerabilities
CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465
______________________________________________________________________
* Synopsis
Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data.
Two code execution vulnerabilities are present in QuickDraw PICT image format support.
Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium.
CVE-2006-1459
Seven integer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1460
Five buffer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1461
Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support.
CVE-2006-1462
Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support.
CVE-2006-1464
One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support.
CVE-2006-1465
One buffer overflow vulnerability is present in QuickTime AVI video format support.
______________________________________________________________________
* Legal Notice
Copyright (C) 2006 McAfee, Inc.
The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes.
McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
______________________________________________________________________
.
TITLE:
QuickTime Multiple Code Execution Vulnerabilities
SECUNIA ADVISORY ID:
SA20069
VERIFY ADVISORY:
http://secunia.com/advisories/20069/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple Quicktime 4.x
http://secunia.com/product/7923/
Apple Quicktime 5.x
http://secunia.com/product/215/
Apple Quicktime 6.x
http://secunia.com/product/810/
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) An integer overflow error within the processing of JPEG images can
be exploited via a specially crafted JPEG image to crash the
application and potentially execute arbitrary code.
3) A boundary error within the processing of Flash movies can be
exploited via a specially crafted Flash movie to crash the
application and potentially execute arbitrary code.
5) A boundary error within the processing of MPEG4 movies can be
exploited via a specially crafted MPEG4 movie to crash the
application and potentially execute arbitrary code.
6) An integer overflow error within the processing of FlashPix images
(".fpx") can be exploited via a specially crafted FlashPix image with
an overly large value in the field specifying the number of data
blocks in the file.
7) A boundary error within the processing of AVI movies can be
exploited via a specially crafted AVI movie to crash the application
and potentially execute arbitrary code.
8) Two boundary errors within the processing of PICT images can be
exploited to either cause a stack-based via a PICT image with
specially crafted font information or a heap-based buffer overflow
via a PICT image with specially crafted image data. This can be
exploited to crash the application and potentially execute arbitrary
code.
9) A boundary error within the processing of BMP images can be
exploited via a specially crafted BMP image to crash the application
and potentially execute arbitrary code.
SOLUTION:
Update to version 7.1.
http://www.apple.com/support/downloads/quicktime71.html
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs.
3) Mike Price, McAfee AVERT Labs.
4) Mike Price of McAfee AVERT Labs and ATmaCA.
5) Mike Price, McAfee AVERT Labs.
6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT
Labs.
7) Mike Price, McAfee AVERT Labs.
8) Mike Price, McAfee AVERT Labs.
9) Tom Ferris
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303752
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060511.html
Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-015.html
Sowhat:
http://secway.org/advisory/AD20060512.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0205 | CVE-2006-1446 | Apple Mac OS X Keychain Information disclosure vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Keychain in Apple Mac OS X 10.3.9 and 10.4.6 might allow an application to bypass a locked Keychain by first obtaining a reference to the Keychain when it is unlocked, then reusing that reference after the Keychain has been locked. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0210 | CVE-2006-1451 | Apple Mac OS X MySQL Manager Input validation vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
MySQL Manager in Apple Mac OS X 10.3.9 and 10.4.6, when setting up a new MySQL database server, does not use the "New MySQL root password" that is provided, which causes the MySQL root password to be blank and allows local users to gain full privileges to that database. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0204 | CVE-2006-1445 | Apple Mac OS X Ftp service Buffer overflow vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Buffer overflow in the FTP server (FTPServer) in Apple Mac OS X 10.3.9 and 10.4.6 allows remote authenticated users to execute arbitrary code via vectors related to "FTP server path name handling.". Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0203 | CVE-2006-1444 | Apple Mac OS X CoreGraphics Access control bypass vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
CoreGraphics in Apple Mac OS X 10.4.6, when "Enable access for assistive devices" is on, allows an application to bypass restrictions for secure event input and read certain events from other applications in the same window session by using Quartz Event Services. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0202 | CVE-2006-1443 | Apple Mac OS X CoreFoundation Buffer overflow vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Integer underflow in CoreFoundation in Apple Mac OS X 10.3.9 and 10.4.6 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving conversions from string to file system representation within (1) CFStringGetFileSystemRepresentation or (2) getFileSystemRepresentation:maxLength:withPath in NSFileManager, and possibly other similar API functions. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0209 | CVE-2006-1450 | Apple Mac OS X Mail Arbitrary code execution vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Mail in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to execute arbitrary code via an enriched text e-mail message with "invalid color information" that causes Mail to allocate and initialize arbitrary classes. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0208 | CVE-2006-1449 | Apple Mac OS X Mail Integer overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Integer overflow in Mail in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to execute arbitrary code via a crafted MacMIME encapsulated attachment. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0207 | CVE-2006-1448 | Apple QuickTime Finder Arbitrary code execution vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Finder in Apple Mac OS X 10.3.9 and 10.4.6 allows user-assisted attackers to execute arbitrary code by tricking a user into launching an Internet Location item that appears to use a safe URL scheme, but which actually has a different and more risky scheme. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0199 | CVE-2006-1440 | Apple Mac OS X BOM Input validation vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
BOM in Apple Mac OS X 10.3.9 and 10.4.6 allows attackers to overwrite arbitrary files via an archive that contains symbolic links. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0198 | CVE-2006-1439 | Apple Mac OS X AppKi NSSecureTextField Is a verification vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
NSSecureTextField in AppKit in Apple Mac OS X 10.4.6 does not re-enable secure event input under certain circumstances, which could allow other applications in the window session to monitor input characters and keyboard events. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----