Languages

Archived - About the security content of Mac OS X 10.4.9 and Security Update 2007-003

This article has been archived and is no longer updated by Apple.

This document describes the security content of Mac OS X 10.4.9 and Security Update 2007-003, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Installation note

Software Update will present the update that applies to your system configuration. Only one is needed. Security Update 2007-003 will install on Mac OS X v10.3.9 and Mac OS X Server v10.3.9 systems.

Mac OS X v10.4.9 contains the security fixes present in Security Update 2007-003 and will install on Mac OS X v10.4 or later, as well as Mac OS X Server v10.4 or later systems.

Security Update 2007-003 / Mac OS X v10.4.9

  • ColorSync

    CVE-ID: CVE-2007-0719

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Viewing a maliciously-crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution

    Description: A stack buffer overflow exists in the handling of embedded ColorSync profiles. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ColorSync profiles. Credit to Tom Ferris of Security-Protocols for reporting this issue.

  • CoreGraphics

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Viewing a malformed PDF Document may lead to an application hang

    Description: CoreGraphics has been updated to address the issue described on the Month of Apple Bugs web site (MOAB-06-01-2007), which may lead to an application hang.

  • Crash Reporter

    CVE-ID: CVE-2007-0467

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Crash Reporter may allow a local admin user to obtain system privileges

    Description: Crash Reporter uses an admin-writable system directory to store logs of processes that have been unexpectedly terminated. A malicious process running as an admin can cause these logs to be written to arbitrary files as root, which could result in the execution of commands with elevated privileges. This issue has been described on the Month of Apple Bugs web site (MOAB-28-01-2007). This update addresses the issue by performing additional validation prior to writing to log files.

  • CUPS

    CVE-ID: CVE-2007-0720

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Remote attackers may cause a denial of service during SSL negotiation

    Description: A partially-negotiated SSL connection with the CUPS service may prevent other requests from being served until the connection is closed. This update addresses the issue by implementing timeouts during SSL negotiation.

  • Disk Images

    CVE-ID: CVE-2007-0721

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Mounting a maliciously-crafted disk image may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption vulnerability exists in diskimages-helper. By enticing a user to open a maliciously-crafted compressed disk image, an attacker could trigger this issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of disk images.

  • Disk Images

    CVE-ID: CVE-2007-0722

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Mounting a maliciously-crafted AppleSingleEncoding disk image may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow vulnerability exists in the handler for AppleSingleEncoding disk images. By enticing a local user to open a maliciously-crafted disk image, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of AppleSingleEncoding disk images.

  • Disk Images

    CVE-ID: CVE-2006-6061, CVE-2006-6062, CVE-2006-5679, CVE-2007-0229, CVE-2007-0267, CVE-2007-0299

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8

    Impact: Downloading a maliciously-crafted disk image may lead to an unexpected system shutdown or arbitrary code execution

    Description: Several vulnerabilities exist in the processing of disk images that may lead to an unexpected termination of system operations or arbitrary code execution. These have been described on the Month of Kernel Bugs and Month of Apple Bugs web sites (MOKB-03-11-2006, MOKB-20-11-2006, MOKB-21-11-2006, MOAB-10-01-2007, MOAB-11-01-2007 and MOAB-12-01-2007). Since a disk image may be automatically mounted when visiting web sites, this allows a malicious web site to cause a denial of service. This update addresses the issue by performing additional validation of downloaded disk images prior to mounting them.

  • DS Plug-Ins

    CVE-ID: CVE-2007-0723

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Unprivileged LDAP users may be able to change the local root password

    Description: An implementation flaw in DirectoryService allows an unprivileged LDAP user to change the local root password. The authentication mechanism in DirectoryService has been fixed to address this issue.

  • Flash Player

    CVE-ID: CVE-2006-5330

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Playing maliciously-crafted Flash content could allow an HTTP request splitting attack

    Description: Adobe Flash Player is updated to version 9.0.28.0 to fix a potential vulnerability that could allow HTTP request splitting attacks. This issue is described as APSB06-18 on the Adobe web site at http://www.adobe.com/support/security/

  • GNU Tar

    CVE-ID: CVE-2006-6097

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Extracting a maliciously-crafted tar archive may lead to arbitrary files being overwritten

    Description: GNU Tar does not correctly handle tar archives that contain a GNUTYPES_NAME record with a symbolic link. By enticing a local user to extract a maliciously-crafted tar archive, an attacker may cause arbitrary files to be overwritten with the permissions of the person using tar. This issue has been addressed by performing additional validation of tar files.

  • HFS

    CVE-ID: CVE-2007-0318

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Removing a file from a maliciously-crafted mounted filesystem may lead to a denial of service

    Description: An HFS+ filesystem in a mounted disk image can be constructed to trigger a kernel panic when attempting to remove a file from a mounted filesystem. This has been described on the Month of Apple Bugs web site (MOAB-13-01-2007). This update addresses the issue by performing additional validation of the HFS+ filesystem.

  • HID Family

    CVE-ID: CVE-2007-0724

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Console keyboard events are exposed to other users on the local system

    Description: Insufficient controls in the IOKit HID interface allow any logged in user to capture console keystrokes, including passwords and other sensitive information. This update addresses the issue by limiting HID device events to processes belonging to the current console user. Credit to Andrew Garber of University of Victoria, Alex Harper, and Michael Evans for reporting this issue.

  • ImageIO

    CVE-ID: CVE-2007-1071

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Viewing a maliciously-crafted GIF file may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow vulnerability exists in the process of handling GIF files. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of GIF files. This issue does not affect systems prior to Mac OS X v10.4. Credit to Tom Ferris of Security-Protocols for reporting this issue.

  • ImageIO

    CVE-ID: CVE-2007-0733

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Viewing a maliciously-crafted RAW Image may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in the process of handling RAW images. By enticing a user to open a maliciously-crafted image, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of RAW images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Luke Church of the Computer Laboratory, University of Cambridge, for reporting this issue.

  • Kernel

    CVE-ID: CVE-2006-5836

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Malicious local users may be able to cause a denial of service

    Description: Using the fpathconf() system call on certain file types will result in a kernel panic. This has been described on the Month of Kernel Bugs web site (MOKB-09-11-2006). This update addresses the issue through improved handling for all kernel defined file types. Credit to Ilja van Sprundel for reporting this issue.

  • Kernel

    CVE-ID: CVE-2006-6126

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Executing a maliciously-crafted Mach-O binary may lead to an unexpected termination of system operations.

    Description: An implementation issue exists in the kernel's handling of faults while loading Mach-O binaries. This could allow a malicious local user to cause a kernel panic. This issue has been described on the Month of Kernel Bugs web site (MOKB-23-11-2006). This issue only affects systems with Intel processors. This issue does not allow kernel memory corruption and can not lead to privilege escalation. This update addresses the issue by performing additional validation of Mach-O binaries.

  • Kernel

    CVE-ID: CVE-2006-6129

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Executing a maliciously-crafted Universal Mach-O binary may lead to an unexpected termination of system operations or arbitrary code execution with elevated privileges

    Description: An integer overflow vulnerability exists in the loading of Universal Mach-O binaries. This could allow a malicious local user to cause a kernel panic or to obtain system privileges. This has been described on the Month of Kernel Bugs web site (MOKB-26-11-2006). This update addresses the issue by performing additional validation of Universal binaries.

  • Kernel

    CVE-ID: CVE-2006-6173

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Executing a maliciously-crafted program may lead to a system hang

    Description: The shared_region_make_private_np() system call allows a program to request a large allocation of kernel memory. This could allow a malicious local user to cause a system hang. This issue does not allow an integer overflow to occur, and it cannot lead to arbitrary code execution. This issue has been described on the Month of Kernel Bugs web site (MOKB-28-11-2006). This update addresses the issue by additional validation of the arguments passed to shared_region_make_private_np().

  • Kernel

    CVE-ID: CVE-2007-0430

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Malicious local users may be able to cause a system hang

    Description: The shared_region_map_file_np system call allows a program to request a large allocation of kernel memory. This could allow a malicious local user to cause a system hang. This issue does not lead to arbitrary code execution. This update addresses the issue through additional validation of the arguments passed to shared_region_map_file_np. Credit to RISE Security for reporting this issue.

  • MySQL Server

    CVE-ID: CVE-2006-1516, CVE-2006-1517, CVE-2006-2753, CVE-2006-3081, CVE-2006-4031, CVE-2006-4226, CVE-2006-3469

    Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Multiple vulnerabilities in MySQL, the most serious of which is arbitrary code execution

    Description: MySQL is updated from version 4.1.13 to 4.1.22. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/4.1/en/news-4-1-x.html

  • Networking

    CVE-ID: CVE-2006-6130

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Malicious local users may be able to cause an unexpected termination of system operations or execute arbitrary code with elevated privileges

    Description: A memory corruption issue exists in the AppleTalk protocol handler. This could allow a malicious local user to cause a kernel panic or gain system privileges. This has been described on the Month of Kernel Bugs web site (MOKB-27-11-2006). This update addresses the issue by performing additional validation of the input data structures.

  • Networking

    CVE-ID: CVE-2007-0236

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Maliciously-crafted AppleTalk requests may lead to a local denial of service or arbitrary code execution

    Description: A heap buffer overflow vulnerability exists in the AppleTalk protocol handler. By sending a maliciously-crafted request, a local user can trigger the overflow which may lead to a denial of service or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-14-01-2007). This update addresses the issue by performing additional validation of the input data.

  • OpenSSH

    CVE-ID: CVE-2007-0726

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: A remote attacker can destroy established trust between SSH hosts by causing SSH Keys to be regenerated

    Description: SSH keys are created on a server when the first SSH connection is established. An attacker connecting to the server before SSH has finished creating the keys could force the keys then to be recreated. This could result in a denial of service against processes that rely on a trust relationship with the server. Systems that already have SSH enabled and have rebooted at least once are not vulnerable to this issue. This issue is addressed by improving the SSH key generation process. This issue is specific to the Apple implementation of OpenSSH. Credit to Jeff Mccune of The Ohio State University for reporting this issue.

  • OpenSSH

    CVE-ID: CVE-2006-0225, CVE-2006-4924, CVE-2006-5051, CVE-2006-5052

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Multiple vulnerabilities in OpenSSH, the most serious of which is arbitrary code execution

    Description: OpenSSH is updated to version 4.5. Further information is available via the OpenSSH web site at http://www.openssh.org/txt/release-4.5.

  • Printing

    CVE-ID: CVE-2007-0728

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: An unprivileged local user can overwrite arbitrary files with system privileges

    Description: Insecure file operations may occur during the initialization of a USB printer. An attacker may leverage this issue to create or overwrite arbitrary files on the system. This update addresses the issue by improving the printer initialization process.

  • QuickDraw Manager

    CVE-ID: CVE-2007-0588

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Opening a maliciously-crafted PICT image may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow vulnerability exists in QuickDraw's PICT image processing. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Tom Ferris of Security-Protocols and Mike Price of McAfee AVERT Labs for reporting this issue.

  • QuickDraw Manager

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Opening a malformed PICT image may lead to an unexpected application termination

    Description: QuickDraw Manager has been updated to address the issue described on the Month of Apple Bugs web site (MOAB-23-01-2007), which may lead to an unexpected application termination. This issue can not lead to arbitrary code execution.

  • servermgrd

    CVE-ID: CVE-2007-0730

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Remote attackers may be able to access Server Manager without valid credentials

    Description: An issue in Server Manager's validation of authentication credentials could allow a remote attacker to alter the system configuration. This update addresses the issue by additional validation of authentication credentials.

  • SMB File Server

    CVE-ID: CVE-2007-0731

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: A user with write access to an SMB share may be able to cause a denial of service or arbitrary code execution

    Description: A stack buffer overflow vulnerability exists in an Apple-specific Samba module. A file with an overly-long ACL could trigger the overflow, which may lead to a denial of service or arbitrary code execution. This update addresses the issue by performing additional validation of ACLs. This issue does not affect systems prior to Mac OS X v10.4. Credit to Cameron Kay of Massey University, New Zealand for reporting this issue.

  • Software Update

    CVE-ID: CVE-2007-0463

    Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: Opening a maliciously-crafted Software Update Catalog file may lead to an unexpected application termination or arbitrary code execution

    Description: A format string vulnerability exists in the Software Update application. By enticing a user to download and open a Software Update Catalog file, an attacker can trigger the vulnerability which may lead to an unexpected application termination or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-24-01-2007). This update addresses the issue by removing document bindings for Software Update Catalogs. This issue does not affect systems prior to Mac OS X v10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.

  • sudo

    CVE-ID: CVE-2005-2959

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: A local user with sudo access to a bash script can run arbitrary commands with elevated privileges

    Description: A user-modified sudo configuration could allow environment variables to be passed through to the program running as a privileged user. If sudo is configured to allow an otherwise unprivileged user to execute a given bash script with elevated privileges, the user may be able to execute arbitrary code with elevated privileges. Systems with the default sudo configuration are not vulnerable to this issue. This issue has been addressed by updating sudo to 1.6.8p12. Further information is available via the sudo web site at http://www.sudo.ws/sudo/current.html

  • WebLog

    CVE-ID: CVE-2006-4829

    Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.8

    Impact: A remote attacker can conduct cross-site scripting attacks through Blojsom

    Description: A cross-site scripting vulnerability exists in Blojsom. This allows remote attackers to inject JavaScript into blog content that will execute in the domain of the Blojsom server. This update addresses the issue by performing additional validation of the user input. This issue does not affect systems prior to Mac OS X v10.4.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

Last Modified: Feb 20, 2012
Print this page
  • Last Modified: Feb 20, 2012
  • Article: TA24626
  • Views:

    83514
  • Rating:
    • 40.0

    (4 Responses)