VARIoT IoT vulnerabilities database
VAR-200711-0331 | CVE-2007-4691 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The NSURL component in Apple Mac OS X 10.4 through 10.4.10 performs case-sensitive comparisons that allow attackers to bypass intended restrictions for local file system URLs. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0334 | CVE-2007-4694 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Safari in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to access local content via file:// URLs. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0333 | CVE-2007-4693 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The SecurityAgent component in Mac OS X 10.4 through 10.4.10 allows attackers with physical access to bypass the authentication dialog of the screen saver and send keystrokes to a process, related to "handling of keyboard focus between secure text fields.". Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0329 | CVE-2007-4689 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Double free vulnerability in the Networking component in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to cause a denial of service (system shutdown) or execute arbitrary code via crafted IPV6 packets. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0332 | CVE-2007-4692 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The tabbed browsing feature in Apple Safari 3 before Beta Update 3.0.4 on Windows, and Mac OS X 10.4 through 10.4.10, allows remote attackers to spoof HTTP authentication for other sites and possibly conduct phishing attacks by causing an authentication sheet to be displayed for a tab that is not active, which makes it appear as if it is associated with the active tab. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues. Apple Safari is prone to an information-disclosure vulnerability because of a design issue related to tabbed browsing.
Attackers may be able to access user credentials or other potentially sensitive information that would aid in phishing attacks. Users may think that the authentication form is from the current active page, which may lead to leakage of user data.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0330 | CVE-2007-4690 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Double free vulnerability in the NFS component in Apple Mac OS X 10.4 through 10.4.10 allows remote authenticated users to execute arbitrary code via a crafted AUTH_UNIX RPC packet. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0327 | CVE-2007-4687 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The remote_cmds component in Apple Mac OS X 10.4 through 10.4.10 contains a symbolic link from the tftpboot private directory to the root directory, which allows tftpd users to escape the private directory and access arbitrary files. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0328 | CVE-2007-4688 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Networking component in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to obtain all addresses for a host, including link-local addresses, via a Node Information Query. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0325 | CVE-2007-4685 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The kernel in Apple Mac OS X 10.4 through 10.4.10 allows local users to gain privileges by executing setuid or setgid programs in which the stdio, stderr, or stdout file descriptors are "in an unexpected state.". Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0326 | CVE-2007-4686 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Integer signedness error in the ttioctl function in bsd/kern/tty.c in the xnu kernel in Apple Mac OS X 10.4 through 10.4.10 allows local users to cause a denial of service (system shutdown) or gain privileges via a crafted TIOCSETD ioctl request. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
.
======================
Technical description:
======================
Kernel source file: bsd/kern/tty.c
(from http://www.opensource.apple.com/darwinsource/10.4.8.x86/xnu-792.13.8/)
822 int
823 ttioctl(register struct tty *tp,
824 u_long cmd, caddr_t data, int flag,
825 struct proc *p)
826 {
[...]
1085 bcopy(t->c_cc, tp->t_cc, sizeof(t->c_cc));
1086 splx(s);
1087 break;
1088 }
1089 case TIOCSETD: { /* set line discipline */
1090 register int t = *(int *)data; <--- (1)
1091 dev_t device = tp->t_dev;
1092
1093 if (t >= nlinesw) <--- (2)
1094 return (ENXIO);
1095 if (t != tp->t_line) {
1096 s = spltty();
1097 (*linesw[tp->t_line].l_close)(tp, flag);
1098 error = (*linesw[t].l_open)(device, tp); <--- (3)
1099 if (error) {
1100 (void)(*linesw[tp->t_line].l_open)(device, tp);
1101 splx(s);
1102 return (error);
1103 }
1104 tp->t_line = t;
1105 splx(s);
1106 }
1107 break;
1108 }
In line 1090 the user supplied "data" of the type caddr_t (char *) gets
stored in the variable "t" of the type signed int (see (1)). Then in line
1093 the value of "t" is compared with "nlinesw". As "data" is supplied
by the user it is possible to provide a string value >= 0x80000000. If so,
"t" gets a negative value due to the type conversion error (see (1)) and
the check in line 1093 will always be passed (see (2)). In line 1098 the user
supplied value "t" is used to reference and call "l_open". This leads to full
control of the kernel execution flow.
Corresponding assembler code snippet:
__text:00356C08 loc_356C08:
__text:00356C08 mov eax, [ebp+arg_8]
__text:00356C0B mov ebx, [eax] <--- (1)
__text:00356C0D mov edx, [ebp+arg_0]
__text:00356C10 mov edx, [edx+64h]
__text:00356C13 mov [ebp+var_58], edx
__text:00356C16 cmp ebx, ds:457880h <--- (2)
__text:00356C1C jl short loc_356C28
__text:00356C1E mov esi, 6
__text:00356C23 jmp loc_356F70
__text:00356C28 ; --------------------------------
__text:00356C28
__text:00356C28 loc_356C28:
__text:00356C28 mov ecx, [ebp+arg_0]
__text:00356C2B cmp ebx, [ecx+60h]
__text:00356C2E jz loc_356633
__text:00356C34 call _spltty
__text:00356C39 mov edi, eax
__text:00356C3B mov esi, [ebp+arg_0]
__text:00356C3E mov eax, [esi+60h]
__text:00356C41 shl eax, 5
__text:00356C44 mov edx, [ebp+arg_C]
__text:00356C47 mov [esp+0B8h+var_B4], edx
__text:00356C4B mov [esp+0B8h+var_B8], esi
__text:00356C4E call ds:off_4578A4[eax]
__text:00356C54 mov eax, ebx <--- (3)
__text:00356C56 shl eax, 5 <--- (4)
__text:00356C59 mov [esp+0B8h+var_B4], esi
__text:00356C5D mov ecx, [ebp+var_58]
__text:00356C60 mov [esp+0B8h+var_B8], ecx
__text:00356C63 call ds:_linesw[eax] <--- (5)
(1) The user supplied data is copied into EBX
(2) EBX is compared with nlinesw
(3) The user supplied data in EBX is copied into EAX
(4) Slightly modification of EAX
(5) The user supplied value in EAX is used as a reference in this call
=================
Proof of Concept:
=================
Due to the severity of this issue no proof of concept exploit code
will be released.
http://www.apple.com/support/downloads/
========
History:
========
2007/03/19 - Vendor notified
2007/03/19 - Automated reply from vendor
2007/03/26 - Vendor asks for more details
2007/04/01 - Provided vendor with more details
2007/04/04 - Status update from vendor
2007/04/06 - Vendor confirms the vulnerability
2007/05/11 - Status update request
2007/06/22 - Status update from vendor
2007/11/14 - Update released by the vendor
2007/11/15 - Full technical details released to general
public
========
Credits:
========
Vulnerability found and advisory written by Tobias Klein.
===========
References:
===========
[1] http://docs.info.apple.com/article.html?artnum=307041
[2] http://www.trapkit.de/advisories/TKADV2007-001.txt
========
Changes:
========
Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release
===========
Disclaimer:
===========
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
==================
PGP Signature Key:
==================
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2007 Tobias Klein. All rights reserved
VAR-200711-0317 | CVE-2007-4700 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in WebKit on Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to use Safari as an indirect proxy and send attacker-controlled data to arbitrary TCP ports via unknown vectors. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0312 | CVE-2007-4695 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Unspecified "input validation" vulnerability in WebCore in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to modify form field values via unknown vectors related to file uploads. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0318 | CVE-2007-4701 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
WebKit on Apple Mac OS X 10.4 through 10.4.10 does not create temporary files securely when Safari is previewing a PDF file, which allows local users to read the contents of that file. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0316 | CVE-2007-4699 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The default configuration of Safari in Apple Mac OS X 10.4 through 10.4.10 adds a private key to the keychain with permissions that allow other applications to access the key without warning the user, which might allow other applications to bypass intended access restrictions. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0310 | CVE-2007-4683 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in the kernel in Apple Mac OS X 10.4 through 10.4.10 allows local users to bypass the chroot mechanism via a relative path when changing the current working directory. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0309 | CVE-2007-4682 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
CoreText in Apple Mac OS X 10.4 through 10.4.10 allows attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted text content that triggers an access of an uninitialized object pointer. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0314 | CVE-2007-4697 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in WebCore in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via unknown vectors related to browser history, which triggers memory corruption. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0313 | CVE-2007-4696 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Race condition in WebCore in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to obtain information for forms from other sites via unknown vectors related to "page transitions" in Safari. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0315 | CVE-2007-4698 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple Safari 3 before Beta Update 3.0.4 on Windows, and Mac OS X 10.4 through 10.4.10, allows remote attackers to conduct cross-site scripting (XSS) attacks by causing JavaScript events to be associated with the wrong frame. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues. Apple Safari is prone to a vulnerability that lets attackers bypass the same-origin policy.
NOTE: This issue may be related to BID 25851 - Apple iPhone Safari Browser Frame Events Same-Origin Policy Bypass Vulnerability (CVE-2007-3761).
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200711-0311 | CVE-2007-4684 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Integer overflow in the kernel in Apple Mac OS X 10.4 through 10.4.10 allows local users to execute arbitrary code via a large num_sels argument to the i386_set_ldt system call. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----