About the security content of the Mac OS X 10.4.8 Update and Security Update 2006-006

This document describes Security Update 2006-006 and the security content of Mac OS X 10.4.8 Update, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To find out about other Security Updates, see "Apple Security Updates".

Mac OS X v10.4.8 and Security Update 2006-006

  • CFNetwork

    CVE-ID: CVE-2006-4390

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: CFNetwork clients such as Safari may allow unauthenticated SSL sites to appear as authenticated

    Description: Connections created using SSL are normally authenticated and encrypted. When encryption is implemented without authentication, malicious sites may be able to pose as trusted sites. In the case of Safari this may lead to the lock icon being displayed when the identity of a remote site cannot be trusted. This update addresses the issue by disallowing anonymous SSL connections by default. Credit to Adam Bryzak of Queensland University of Technology for reporting this issue.

  • Flash Player

    CVE-ID: CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: Playing Flash content may lead to arbitrary code execution

    Description: Adobe Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when handling maliciously crafted content. This update addresses the issues by incorporating Flash Player version 9.0.16.0 on Mac OS X v10.3.9 and Flash Player version 9.0.20.0 on Mac OS X v10.4 systems.

    Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb06-11.html.

  • ImageIO

    CVE-ID: CVE-2006-4391

    Available for: Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: Viewing a maliciously crafted JPEG2000 image may lead to an application crash or arbitrary code execution

    Description: By carefully crafting a corrupt JPEG2000 image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the image by performing additional validation of JPEG2000 images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Tom Saxton of Idle Loop Software Design for reporting this issue.

  • Kernel

    CVE-ID: CVE-2006-4392

    Available for: Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: Local users may be able to run arbitrary code with raised privileges

    Description: An error-handling mechanism in the kernel, known as Mach exception ports, provides the ability to control programs when certain types of errors are encountered. Malicious local users could use this mechanism to execute arbitrary code in privileged programs if an error is encountered. This update addresses the issue by restricting access to Mach exception ports for privileged programs. Credit to Dino Dai Zovi of Matasano Security for reporting this issue.

  • LoginWindow

    CVE-ID: CVE-2006-4397

    Available for: Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: After an unsuccessful attempt to log in to a network account, Kerberos tickets may be accessible to other local users

    Description: Due to an unchecked error condition, Kerberos tickets may not be properly destroyed after unsuccessfully attempting to log in to a network account via loginwindow. This could result in unauthorised access by other local users to a previous user’s Kerberos tickets. This update addresses the issue by clearing the credentials cache after failed logins. This issue does not affect systems prior to Mac OS X v10.4. Credit to Patrick Gallagher of Digital Peaks Corporation for reporting this issue.

  • LoginWindow

    CVE-ID: CVE-2006-4393

    Available for: Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: Kerberos tickets may be accessible to other local users if Fast User Switching is enabled

    Description: An error in the handling of Fast User Switching may allow a local user to gain access to the Kerberos tickets of other local users. Fast User Switching has been updated to prevent this situation. This issue does not affect systems prior to Mac OS X v10.4. Credit to Ragnar Sundblad of the Royal Institute of Technology, Stockholm, Sweden for reporting this issue.

  • LoginWindow

    CVE-ID: CVE-2006-4394

    Available for: Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: Network accounts may be able to bypass loginwindow service access controls

    Description: Service access controls can be used to restrict which users are allowed to log in to a system via loginwindow. A logic error in loginwindow allows network accounts without GUIDs to bypass service access controls. This issue only affects systems that have been configured to use service access controls for loginwindow and to allow network accounts to authenticate users without a GUID. The issue has been resolved by properly handling service access controls in loginwindow. This issue does not affect systems prior to Mac OS X v10.4.

  • Preferences

    CVE-ID: CVE-2006-4387

    Available for: Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: After removing an account’s Admin privileges, the account may still manage WebObjects applications

    Description: Unticking the “Allow user to administer this computer” box in System Preferences may fail to remove the account from the appserveradm or appserverusr groups. These groups allow an account to manage WebObjects applications. This update addresses the issue by ensuring the account is removed from the appropriate groups. This issue does not affect systems prior to Mac OS X v10.4. Credit to Phillip Tejada of Fruit Bat Software for reporting this issue.

  • QuickDraw Manager

    CVE-ID: CVE-2006-4395

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: Opening a malicious PICT image with certain applications may lead to an application crash or arbitrary code execution

    Description: Certain applications invoke an unsupported QuickDraw operation to display PICT images. By carefully crafting a corrupt PICT image, an attacker can trigger memory corruption in these applications, which may lead to an application crash or arbitrary code execution. This update addresses the issue by preventing the unsupported operation.

  • SASL

    CVE-ID: CVE-2006-1721

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: Remote attackers may be able to cause an IMAP server denial of service

    Description: An issue in the DIGEST-MD5 negotiation support in Cyrus SASL can lead to a segmentation fault in the IMAP server with a maliciously crafted realm header. This update addresses the issue through improved handling of realm headers in authentication attempts.

  • WebCore

    CVE-ID: CVE-2006-3946

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 to Mac OS X v10.4.7, Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

    Description: A memory management error in WebKit’s handling of certain HTML could allow a malicious web site to cause a crash or potentially execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow. Credit to Jens Kutilek of Netzallee, Lurene Grenier – Senior Research Engineer at Sourcefire VRT, and Jose Avila III – Security Analyst at ONZRA for reporting this issue.

  • Workgroup Manager

    CVE-ID: CVE-2006-4399

    Available for: Mac OS X Server v10.4 to Mac OS X Server v10.4.7

    Impact: Accounts in a NetInfo parent that appear to use ShadowHash passwords may still use crypt

    Description: Workgroup Manager appears to allow switching authentication type from crypt to ShadowHash passwords in a NetInfo parent, when in actuality, it does not. Refreshing the view of an account in a NetInfo parent will properly indicate that crypt is still being used. This update addresses the issue by disallowing administrators from selecting ShadowHash passwords for accounts in a NetInfo parent. Credit to Chris Pepper of The Rockefeller University for reporting this issue.

Installation note

Software Update will present the update that applies to your system configuration. Only one is needed.

Security Update 2006-006 will install on Mac OS X v10.3.9 and Mac OS X Server v10.3.9 systems.

Mac OS X v10.4.8 contains the security fixes present in Security Update 2006-006 and will install on Mac OS X v10.4 or later, as well as Mac OS X Server v10.4 or later systems.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.

Published Date: