11-21-2007, 06:09 PM
ever wonder the kind of things your Apple Security updates are for? Below is a list of the 41 vulnerabilities that a recent update was supposed to fix. I'm not posting this to in any way bash Apple, but it's meant as an educational exercise to remind you that OS X does have vulnerabilities, even though none have been successfully exploited (that we know of).
Apple has released Security Update 2007-008 to address 41 vulnerabilities in Apple Mac Operating System (OS) X and various Apple applications running on Mac OS X. Mac OS X is an operating system developed and sold by Apple Computer, Inc. that is included with Apple Macintosh computers. These vulnerabilities exist due to unchecked buffers, error conditions, and incorrect security settings in the software. To exploit the most serious of these vulnerabilities, an attacker would have to send specific maliciously-crafted packets or files to an affected system. Successful exploitation of these vulnerabilities would allow a local or remote attacker to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and compromise vulnerable systems.
At this time, there are no known exploits publicly or privately available.
Technical Overview:
Multiple vulnerabilities exist which affect Mac OS X and various applications, including AppleRAID, bzip2, BIND, CFFTP, CFNetwork, CoreFoundation, CoreText, Flash Player Plug-In, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
bzip2 Vulnerability (CVE-2005-0953, CVE-2005-1260):
Multiple vulnerabilities in bzip2. bzip2 has been updated to version
1.0.4 to address a remote denial of service, and a race condition which occurs during modification of file permissions. Further information is available via the bzip2 web site at http://bzip.org/
CFNetwork Vulnerability (CVE-2007-0464):
Parsing HTTP replies using the CFNetwork framework may result in an unexpected application termination. A null pointer dereference vulnerability exists in the CFNetwork framework. By enticing a user to use a vulnerable application to connect to a malicious server, an attacker may cause an unexpected application termination. There are no known vulnerable applications. This vulnerability does not lead to arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-25-01-2007). This update addresses the vulnerability by performing additional validation of HTTP replies. This vulnerability does not affect systems prior to Mac OS X v10.4.
BIND Vulnerability (CVE-2007-2926)
An attacker may be able to control the content provided by a DNS server.
ISC BIND 9 through 9.5.0a5 uses a weak random number generator during the creation of DNS query IDs when answering resolver questions or sending NOTIFY messages to slave name servers. This makes it easier for remote attackers to guess the next query ID and perform DNS cache poisoning. This update addresses the vulnerability by improving the random number generator.
Flash Player Plug-in Vulnerability (CVE-2007-3456) Opening maliciously crafted Flash content may lead to arbitrary code execution. An input validation vulnerability exists in Adobe Flash Player. By enticing a user to open maliciously crafted Flash content, an attacker may cause arbitrary code execution. This update addresses the vulnerability by updating Adobe Flash Player to version 9.0.47.0.
Further information is available via the Adobe web site at http://www.adobe.com/support/security/bu...07-12.html
Kerberos Vulnerabilities (CVE-2007-3999, CVE-2007-4743) A remote attacker may be able to cause a denial of service or arbitrary code execution if the Kerberos administration daemon is enabled. A stack buffer overflow exists in the MIT Kerberos administration daemon (kadmind), which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information is available via the MIT Kerberos website at http://web.mit.edu/Kerberos/ This vulnerability does not affect systems prior to Mac OS X v10.4.
Kernel kevent()Vulnerability (CVE-2006-6127) A local user may be able to cause an unexpected system shutdown. An implementation vulnerability exists in kevent() when registering a NOTE_TRACK kernel event with a kernel event queue created by a parent process. This could allow a local user to cause an unexpected system shutdown. This vulnerability has been described on the Month of Kernel Bugs web site (MOKB-24-11-2006). This update addresses the vulnerability by removing support for NOTE_TRACK event.
Kernel Mach thread Vulnerability (CVE-2007-3749) A local user may be able to execute arbitrary code with system privileges. When executing a privileged binary, the kernel does not reset the current Mach thread port or thread exception port. As a result, a local user may be able to write arbitrary data into the address space of the process running as system, which could lead to arbitrary code execution with system privileges. This update addresses the vulnerability by resetting all the special ports that need to be
reset.
Kernel chroot Vulnerability (CVE-2007-4683) Processes restricted via the chroot system call may access arbitrary files. The chroot mechanism is intended to restrict the set of files that a process can access. By changing the working directory using a relative path, an attacker may bypass this restriction. This update addresses the vulnerability by through improved access checks.
Kernel i386_set_ldt Vulnerability (CVE-2007-4684) A local user may obtain system privileges. An integer overflow exists within the i386_set_ldt system call, which may allow a local user to execute arbitrary code with elevated privileges. This update addresses the vulnerability through improved validation of input arguments.
Kernel setuid and setgid Vulnerability (CVE-2007-4685):
A local user may obtain system privileges. A vulnerability exists in the handling of standard file descriptors while executing setuid and setgid programs. This could allow a local user to obtain system privileges by executing setuid programs with the standard file descriptors in an unexpected state. This update addresses the vulnerability by initializing standard file descriptors to a known state when executing setuid or setgid programs.
Kernel ioctl Vulnerability (CVE-2007-4686) Maliciously crafted ioctl requests may lead to an unexpected system shutdown or arbitrary code execution with system privileges. An integer overflow exists in the handling of an ioctl request. By sending a maliciously crafted ioctl request, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the vulnerability by performing additional validation of ioctl requests.
Networking ioctl Vulnerability (CVE-2007-4267) If AppleTalk is enabled and in routing mode, a local user may cause an unexpected system shutdown or arbitrary code execution. Adding a new AppleTalk zone could trigger a stack buffer overflow vulnerability. By sending a maliciously crafted ioctl request to an AppleTalk socket, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the vulnerability in AppleTalk through improved bounds checking on ioctl requests.
Networking memory handling Vulnerability (CVE-2007-4268) If AppleTalk is enabled, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. An arithmetic error exists in AppleTalk when handling memory allocations, which may lead to a heap buffer overflow. By sending a maliciously crafted AppleTalk message, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the vulnerability through improved bounds checking on AppleTalk messages.
Networking ASP Vulnerability (CVE-2007-4269) An integer overflow exists in the handling of ASP messages with AppleTalk. By sending a maliciously crafted ASP message on an AppleTalk socket, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the vulnerability by performing additional validation of ASP messages.
Networking Node Information Query Vulnerability (CVE-2007-4688) A remote user may obtain all addresses of a host. An implementation vulnerability exists in the Node Information Query mechanism, which may allow a remote user to query for all addresses of a host, including link-local addresses. This update addresses the vulnerability by dropping node information queries from systems not on the local network.
Networking IPV6 packet Vulnerability (CVE-2007-4689) Certain IPV6 packets may cause an unexpected system shutdown or arbitrary code execution. A double-free vulnerability exists in the handling of certain IPV6 packets, which may lead to an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the vulnerability through improved handling of IPV6 packets.
This vulnerability does not affect systems with Intel processors.
AppleRAID Vulnerability (CVE-2007-4678)
Opening a maliciously crafted disk image may lead to an unexpected system shutdown. A null pointer dereference vulnerability in AppleRAID may be triggered when mounting a striped disk image. This may lead to an unexpected system shutdown. Note that Safari will automatically mount disk images when "Open `safe' files after downloading" is enabled. This update addresses the vulnerability by performing additional validation of disk images.
CFFTP Vulnerability (CVE-2007-4679)
A user's FTP client could be remotely controlled to connect to other hosts. An implementation vulnerability exists in the File Transfer Protocol (FTP) portion of CFNetwork. By sending maliciously crafted replies to FTP PASV (passive) commands, FTP servers are able to cause clients to connect to other hosts. This update addresses the vulnerability by performing additional validation of IP addresses. This vulnerability does not affect systems prior to Mac OS X v10.4.
CFNetwork Vulnerability (CVE-2007-4680)
A remote attacker may be able to cause an untrusted certificate to appear trusted. A vulnerability exists in the validation of certificates. A man-in-the-middle attacker may be able to direct the user to a legitimate site with a valid SSL certificate, then re-direct the user to a spoofed web site that incorrectly appears to be trusted.
This could allow user credentials or other information to be collected.
This update addresses the vulnerability through improved validation of certificates.
CoreFoundation Vulnerability (CVE-2007-4681) Reading a directory hierarchy may lead to an unexpected application termination or arbitrary code execution. A one byte buffer overflow may occur in CoreFoundation when listing the contents of a directory. By enticing a user to read a maliciously crafted directory hierarchy, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the vulnerability by ensuring that the destination buffer is sized to contain the data.
CoreText Vulnerability (CVE-2007-4682)
Viewing maliciously crafted text content may lead to an unexpected application termination or arbitrary code execution. An uninitialized object pointer vulnerability exists in the handling of text content. By enticing a user to view maliciously crafted text content, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the vulnerability by performing additional validation of object pointers.
remote_cmds Vulnerability (CVE-2007-4687) If tftpd is enabled, the default configuration allows clients to access any path on the system. By default, the /private/tftpboot/private directory contains a symbolic link to the root directory, which allows clients to access any path on the system. This update addresses the vulnerability by removing the /private/tftpboot/private directory.
NFS Vulnerability (CVE-2007-4690)
A maliciously crafted AUTH_UNIX RPC call may lead to an unexpected system shutdown or arbitrary code execution. A double free vulnerability in NFS may be triggered when processing an AUTH_UNIX RPC call. By sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP, a remote attacker may cause an unexpected system shutdown or arbitrary code execution. This update addresses the vulnerability by through improved validation of AUTH_UNIX RPC packets.
NSURL Vulnerability (CVE-2007-4691)
Visiting a malicious web site may result in arbitrary code execution. A case-sensitivity vulnerability exists in NSURL when determining if a URL references the local file system. This may cause a caller of the API to make incorrect security decisions, potentially leading to the execution of files on the local system or network volumes without appropriate warnings. This update addresses the vulnerability by using a case insensitive comparison.
Safari format string Vulnerability (CVE-2007-0646) Opening a .download file with a maliciously crafted name may lead to an unexpected application termination or arbitrary code execution. A format string vulnerability exists in Safari. By enticing a user to open a .download file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-30-01-2007). This update addresses the vulnerability through improved handling of format strings.
Safari Tabbed Vulnerability (CVE-2007-4692) A vulnerability in Safari Tabbed browsing may lead to the disclosure of user credentials. An implementation vulnerability exists in the Tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. The user may consider the sheet to come from the currently active page, which may lead to the disclosure of user credentials. This update addresses the vulnerability through improved handling of authentication sheets.
SecurityAgent Vulnerability (CVE-2007-4693) A person with physical access to a system may be able to bypass the screen saver authentication dialog. When waking a computer from sleep or screen saver, a person with physical access may be able to send keystrokes to a process running behind the screen saver authentication dialog. This update addresses the vulnerability through improved handling of keyboard focus between secure text fields.
WebCore URL Vulnerability (CVE-2007-3756) Visiting a malicious website may lead to the disclosure of URL contents.
Safari may allow a web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted web page, an attacker may be able to obtain the URL of an unrelated page. This update addresses the vulnerability through an improved cross-domain security check.
WebCore JavaScript Vulnerability (CVE-2007-3758) Visiting a malicious website may lead to cross-site scripting. A cross-site scripting vulnerability in Safari allows malicious websites to set JavaScript window properties of websites served from a different domain. By enticing a user to visit a maliciously crafted web page, an attacker may be able to get or set the window status and location of pages served from other websites. This update addresses the vulnerability by providing improved access controls on these properties.
WebCore cross-site scripting Vulnerability (CVE-2007-3760) Visiting a malicious website may result in cross-site scripting. A cross-site scripting vulnerability in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the vulnerability by restricting the use of the javascript URL scheme and adding additional origin validation for these URLs.
WebCore HTTPS Vulnerability (CVE-2007-4671) JavaScript on websites may access or manipulate the contents of documents served over HTTPS. A vulnerability in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of HTTPS web pages in that domain. This update addresses the vulnerability by preventing JavaScript access from HTTP to HTTPS frames.
WebCore file URLs Vulnerability (CVE-2007-4694) Local files may be loaded from remote content. Safari does not block file URLs when loading resources. By enticing a user to visit a maliciously crafted website, a remote attacker may view the content of local files, which may lead to the disclosure of sensitive information.
This update addresses the vulnerability by preventing local files from being loaded from remote content.
WebCore HTML form Vulnerability (CVE-2007-4695) Uploading a maliciously crafted file may allow the tampering of form data. An input validation vulnerability exists in the handling of HTML forms. By enticing a user to upload a maliciously crafted file, an attacker may alter the values of form fields, which may lead to unexpected behavior when the form is processed by the server. This update addresses the vulnerability through improved handling of file uploads.
WebCore page transitions Vulnerability (CVE-2007-4696) Visiting a malicious website may lead to the disclosure of sensitive information. A race condition exists in Safari's handling of page transitions. By enticing a user to visit a malicious web page, an attacker may be able to obtain information entered in forms on other web sites, which may lead to the disclosure of sensitive information. This update addresses the vulnerability by properly clearing form data during page transitions.
WebCore memory corruption Vulnerability (CVE-2007-4697) Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. A memory corruption vulnerability exists in the handling of the browser's history. By enticing a user to visit a maliciously crafted web page, an attacker may cause an unexpected application termination or arbitrary code execution.
WebCore Safari JavaScript Vulnerability (CVE-2007-4698) Visiting a malicious website may result in cross-site scripting. Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the vulnerability by associating JavaScript events with the correct source frame.
WebKit private key Vulnerability (CVE-2007-4699) Unauthorized applications may access private keys added to the keychain by Safari. By default, when Safari adds a private key to the keychain, it allows all applications to access the key without warning. This update addresses the vulnerability by asking the user for permission when applications other than Safari attempt to use the key.
WebKit TCP port vulnerability (CVE-2007-4700) A malicious website may be able to cause Safari to send remotely specified data to arbitrary TCP ports. Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports. This update addresses the vulnerability by blocking access to certain ports.
WebKit PDF Vulnerability (CVE-2007-4701) A local user may be able to read the content of opened PDF files.
WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content. This may lead to the disclosure of sensitive information. This update addresses the vulnerability by using more restrictive permissions for temporary files during PDF preview.
Apple has released Security Update 2007-008 to address 41 vulnerabilities in Apple Mac Operating System (OS) X and various Apple applications running on Mac OS X. Mac OS X is an operating system developed and sold by Apple Computer, Inc. that is included with Apple Macintosh computers. These vulnerabilities exist due to unchecked buffers, error conditions, and incorrect security settings in the software. To exploit the most serious of these vulnerabilities, an attacker would have to send specific maliciously-crafted packets or files to an affected system. Successful exploitation of these vulnerabilities would allow a local or remote attacker to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and compromise vulnerable systems.
At this time, there are no known exploits publicly or privately available.
Technical Overview:
Multiple vulnerabilities exist which affect Mac OS X and various applications, including AppleRAID, bzip2, BIND, CFFTP, CFNetwork, CoreFoundation, CoreText, Flash Player Plug-In, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
bzip2 Vulnerability (CVE-2005-0953, CVE-2005-1260):
Multiple vulnerabilities in bzip2. bzip2 has been updated to version
1.0.4 to address a remote denial of service, and a race condition which occurs during modification of file permissions. Further information is available via the bzip2 web site at http://bzip.org/
CFNetwork Vulnerability (CVE-2007-0464):
Parsing HTTP replies using the CFNetwork framework may result in an unexpected application termination. A null pointer dereference vulnerability exists in the CFNetwork framework. By enticing a user to use a vulnerable application to connect to a malicious server, an attacker may cause an unexpected application termination. There are no known vulnerable applications. This vulnerability does not lead to arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-25-01-2007). This update addresses the vulnerability by performing additional validation of HTTP replies. This vulnerability does not affect systems prior to Mac OS X v10.4.
BIND Vulnerability (CVE-2007-2926)
An attacker may be able to control the content provided by a DNS server.
ISC BIND 9 through 9.5.0a5 uses a weak random number generator during the creation of DNS query IDs when answering resolver questions or sending NOTIFY messages to slave name servers. This makes it easier for remote attackers to guess the next query ID and perform DNS cache poisoning. This update addresses the vulnerability by improving the random number generator.
Flash Player Plug-in Vulnerability (CVE-2007-3456) Opening maliciously crafted Flash content may lead to arbitrary code execution. An input validation vulnerability exists in Adobe Flash Player. By enticing a user to open maliciously crafted Flash content, an attacker may cause arbitrary code execution. This update addresses the vulnerability by updating Adobe Flash Player to version 9.0.47.0.
Further information is available via the Adobe web site at http://www.adobe.com/support/security/bu...07-12.html
Kerberos Vulnerabilities (CVE-2007-3999, CVE-2007-4743) A remote attacker may be able to cause a denial of service or arbitrary code execution if the Kerberos administration daemon is enabled. A stack buffer overflow exists in the MIT Kerberos administration daemon (kadmind), which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information is available via the MIT Kerberos website at http://web.mit.edu/Kerberos/ This vulnerability does not affect systems prior to Mac OS X v10.4.
Kernel kevent()Vulnerability (CVE-2006-6127) A local user may be able to cause an unexpected system shutdown. An implementation vulnerability exists in kevent() when registering a NOTE_TRACK kernel event with a kernel event queue created by a parent process. This could allow a local user to cause an unexpected system shutdown. This vulnerability has been described on the Month of Kernel Bugs web site (MOKB-24-11-2006). This update addresses the vulnerability by removing support for NOTE_TRACK event.
Kernel Mach thread Vulnerability (CVE-2007-3749) A local user may be able to execute arbitrary code with system privileges. When executing a privileged binary, the kernel does not reset the current Mach thread port or thread exception port. As a result, a local user may be able to write arbitrary data into the address space of the process running as system, which could lead to arbitrary code execution with system privileges. This update addresses the vulnerability by resetting all the special ports that need to be
reset.
Kernel chroot Vulnerability (CVE-2007-4683) Processes restricted via the chroot system call may access arbitrary files. The chroot mechanism is intended to restrict the set of files that a process can access. By changing the working directory using a relative path, an attacker may bypass this restriction. This update addresses the vulnerability by through improved access checks.
Kernel i386_set_ldt Vulnerability (CVE-2007-4684) A local user may obtain system privileges. An integer overflow exists within the i386_set_ldt system call, which may allow a local user to execute arbitrary code with elevated privileges. This update addresses the vulnerability through improved validation of input arguments.
Kernel setuid and setgid Vulnerability (CVE-2007-4685):
A local user may obtain system privileges. A vulnerability exists in the handling of standard file descriptors while executing setuid and setgid programs. This could allow a local user to obtain system privileges by executing setuid programs with the standard file descriptors in an unexpected state. This update addresses the vulnerability by initializing standard file descriptors to a known state when executing setuid or setgid programs.
Kernel ioctl Vulnerability (CVE-2007-4686) Maliciously crafted ioctl requests may lead to an unexpected system shutdown or arbitrary code execution with system privileges. An integer overflow exists in the handling of an ioctl request. By sending a maliciously crafted ioctl request, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the vulnerability by performing additional validation of ioctl requests.
Networking ioctl Vulnerability (CVE-2007-4267) If AppleTalk is enabled and in routing mode, a local user may cause an unexpected system shutdown or arbitrary code execution. Adding a new AppleTalk zone could trigger a stack buffer overflow vulnerability. By sending a maliciously crafted ioctl request to an AppleTalk socket, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the vulnerability in AppleTalk through improved bounds checking on ioctl requests.
Networking memory handling Vulnerability (CVE-2007-4268) If AppleTalk is enabled, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. An arithmetic error exists in AppleTalk when handling memory allocations, which may lead to a heap buffer overflow. By sending a maliciously crafted AppleTalk message, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the vulnerability through improved bounds checking on AppleTalk messages.
Networking ASP Vulnerability (CVE-2007-4269) An integer overflow exists in the handling of ASP messages with AppleTalk. By sending a maliciously crafted ASP message on an AppleTalk socket, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the vulnerability by performing additional validation of ASP messages.
Networking Node Information Query Vulnerability (CVE-2007-4688) A remote user may obtain all addresses of a host. An implementation vulnerability exists in the Node Information Query mechanism, which may allow a remote user to query for all addresses of a host, including link-local addresses. This update addresses the vulnerability by dropping node information queries from systems not on the local network.
Networking IPV6 packet Vulnerability (CVE-2007-4689) Certain IPV6 packets may cause an unexpected system shutdown or arbitrary code execution. A double-free vulnerability exists in the handling of certain IPV6 packets, which may lead to an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the vulnerability through improved handling of IPV6 packets.
This vulnerability does not affect systems with Intel processors.
AppleRAID Vulnerability (CVE-2007-4678)
Opening a maliciously crafted disk image may lead to an unexpected system shutdown. A null pointer dereference vulnerability in AppleRAID may be triggered when mounting a striped disk image. This may lead to an unexpected system shutdown. Note that Safari will automatically mount disk images when "Open `safe' files after downloading" is enabled. This update addresses the vulnerability by performing additional validation of disk images.
CFFTP Vulnerability (CVE-2007-4679)
A user's FTP client could be remotely controlled to connect to other hosts. An implementation vulnerability exists in the File Transfer Protocol (FTP) portion of CFNetwork. By sending maliciously crafted replies to FTP PASV (passive) commands, FTP servers are able to cause clients to connect to other hosts. This update addresses the vulnerability by performing additional validation of IP addresses. This vulnerability does not affect systems prior to Mac OS X v10.4.
CFNetwork Vulnerability (CVE-2007-4680)
A remote attacker may be able to cause an untrusted certificate to appear trusted. A vulnerability exists in the validation of certificates. A man-in-the-middle attacker may be able to direct the user to a legitimate site with a valid SSL certificate, then re-direct the user to a spoofed web site that incorrectly appears to be trusted.
This could allow user credentials or other information to be collected.
This update addresses the vulnerability through improved validation of certificates.
CoreFoundation Vulnerability (CVE-2007-4681) Reading a directory hierarchy may lead to an unexpected application termination or arbitrary code execution. A one byte buffer overflow may occur in CoreFoundation when listing the contents of a directory. By enticing a user to read a maliciously crafted directory hierarchy, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the vulnerability by ensuring that the destination buffer is sized to contain the data.
CoreText Vulnerability (CVE-2007-4682)
Viewing maliciously crafted text content may lead to an unexpected application termination or arbitrary code execution. An uninitialized object pointer vulnerability exists in the handling of text content. By enticing a user to view maliciously crafted text content, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the vulnerability by performing additional validation of object pointers.
remote_cmds Vulnerability (CVE-2007-4687) If tftpd is enabled, the default configuration allows clients to access any path on the system. By default, the /private/tftpboot/private directory contains a symbolic link to the root directory, which allows clients to access any path on the system. This update addresses the vulnerability by removing the /private/tftpboot/private directory.
NFS Vulnerability (CVE-2007-4690)
A maliciously crafted AUTH_UNIX RPC call may lead to an unexpected system shutdown or arbitrary code execution. A double free vulnerability in NFS may be triggered when processing an AUTH_UNIX RPC call. By sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP, a remote attacker may cause an unexpected system shutdown or arbitrary code execution. This update addresses the vulnerability by through improved validation of AUTH_UNIX RPC packets.
NSURL Vulnerability (CVE-2007-4691)
Visiting a malicious web site may result in arbitrary code execution. A case-sensitivity vulnerability exists in NSURL when determining if a URL references the local file system. This may cause a caller of the API to make incorrect security decisions, potentially leading to the execution of files on the local system or network volumes without appropriate warnings. This update addresses the vulnerability by using a case insensitive comparison.
Safari format string Vulnerability (CVE-2007-0646) Opening a .download file with a maliciously crafted name may lead to an unexpected application termination or arbitrary code execution. A format string vulnerability exists in Safari. By enticing a user to open a .download file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-30-01-2007). This update addresses the vulnerability through improved handling of format strings.
Safari Tabbed Vulnerability (CVE-2007-4692) A vulnerability in Safari Tabbed browsing may lead to the disclosure of user credentials. An implementation vulnerability exists in the Tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. The user may consider the sheet to come from the currently active page, which may lead to the disclosure of user credentials. This update addresses the vulnerability through improved handling of authentication sheets.
SecurityAgent Vulnerability (CVE-2007-4693) A person with physical access to a system may be able to bypass the screen saver authentication dialog. When waking a computer from sleep or screen saver, a person with physical access may be able to send keystrokes to a process running behind the screen saver authentication dialog. This update addresses the vulnerability through improved handling of keyboard focus between secure text fields.
WebCore URL Vulnerability (CVE-2007-3756) Visiting a malicious website may lead to the disclosure of URL contents.
Safari may allow a web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted web page, an attacker may be able to obtain the URL of an unrelated page. This update addresses the vulnerability through an improved cross-domain security check.
WebCore JavaScript Vulnerability (CVE-2007-3758) Visiting a malicious website may lead to cross-site scripting. A cross-site scripting vulnerability in Safari allows malicious websites to set JavaScript window properties of websites served from a different domain. By enticing a user to visit a maliciously crafted web page, an attacker may be able to get or set the window status and location of pages served from other websites. This update addresses the vulnerability by providing improved access controls on these properties.
WebCore cross-site scripting Vulnerability (CVE-2007-3760) Visiting a malicious website may result in cross-site scripting. A cross-site scripting vulnerability in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the vulnerability by restricting the use of the javascript URL scheme and adding additional origin validation for these URLs.
WebCore HTTPS Vulnerability (CVE-2007-4671) JavaScript on websites may access or manipulate the contents of documents served over HTTPS. A vulnerability in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of HTTPS web pages in that domain. This update addresses the vulnerability by preventing JavaScript access from HTTP to HTTPS frames.
WebCore file URLs Vulnerability (CVE-2007-4694) Local files may be loaded from remote content. Safari does not block file URLs when loading resources. By enticing a user to visit a maliciously crafted website, a remote attacker may view the content of local files, which may lead to the disclosure of sensitive information.
This update addresses the vulnerability by preventing local files from being loaded from remote content.
WebCore HTML form Vulnerability (CVE-2007-4695) Uploading a maliciously crafted file may allow the tampering of form data. An input validation vulnerability exists in the handling of HTML forms. By enticing a user to upload a maliciously crafted file, an attacker may alter the values of form fields, which may lead to unexpected behavior when the form is processed by the server. This update addresses the vulnerability through improved handling of file uploads.
WebCore page transitions Vulnerability (CVE-2007-4696) Visiting a malicious website may lead to the disclosure of sensitive information. A race condition exists in Safari's handling of page transitions. By enticing a user to visit a malicious web page, an attacker may be able to obtain information entered in forms on other web sites, which may lead to the disclosure of sensitive information. This update addresses the vulnerability by properly clearing form data during page transitions.
WebCore memory corruption Vulnerability (CVE-2007-4697) Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. A memory corruption vulnerability exists in the handling of the browser's history. By enticing a user to visit a maliciously crafted web page, an attacker may cause an unexpected application termination or arbitrary code execution.
WebCore Safari JavaScript Vulnerability (CVE-2007-4698) Visiting a malicious website may result in cross-site scripting. Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the vulnerability by associating JavaScript events with the correct source frame.
WebKit private key Vulnerability (CVE-2007-4699) Unauthorized applications may access private keys added to the keychain by Safari. By default, when Safari adds a private key to the keychain, it allows all applications to access the key without warning. This update addresses the vulnerability by asking the user for permission when applications other than Safari attempt to use the key.
WebKit TCP port vulnerability (CVE-2007-4700) A malicious website may be able to cause Safari to send remotely specified data to arbitrary TCP ports. Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports. This update addresses the vulnerability by blocking access to certain ports.
WebKit PDF Vulnerability (CVE-2007-4701) A local user may be able to read the content of opened PDF files.
WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content. This may lead to the disclosure of sensitive information. This update addresses the vulnerability by using more restrictive permissions for temporary files during PDF preview.