About Security Update 2007-009

This document describes Security Update 2007-009, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Security Update 2007-009

Address Book

CVE-ID: CVE-2007-4708

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

Description: A format string vulnerability exists in Address Book's URL handler. By enticing a user to visit a maliciously crafted website, a remote attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings. This issue does not affect systems running Mac OS X 10.5 or later.

CFNetwork

CVE-ID: CVE-2007-4709

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Visiting a malicious website could allow the automatic download of files to arbitrary folders to which the user has write permission.

Description: A path traversal issue exists in CFNetwork's handling of downloaded files. By enticing a user to visit a malicious website, an attacker may cause the automatic download of files to arbitrary folders to which the user has write permission. This update addresses the issue through improved processing of HTTP responses. This issue does not affect systems prior to Mac OS X 10.5. Credit to Sean Harding for reporting this issue.

ColorSync

CVE-ID: CVE-2007-4710

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution.

Description: A memory corruption issue exists in the handling of images with an embedded ColorSync profile. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of images. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Tom Ferris of Adobe Secure Software Engineering Team (ASSET) for reporting this issue.

Core Foundation

CVE-ID: CVE-2007-5847

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Usage of CFURLWriteDataAndPropertiesToResource API may lead to the disclosure of sensitive information.

Description: A race condition exists in the CFURLWriteDataAndPropertiesToResource API, which may cause files to be created with insecure permissions. This may lead to the disclosure of sensitive information. This update addresses the issue through improved file handling. This issue does not affect systems running Mac OS X 10.5 or later.

CUPS

CVE-ID: CVE-2007-5848

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local admin user may be able to gain system privileges.

Description: A buffer overflow issue exists in the printer driver for CUPS. This may allow a local admin user to gain system privileges by passing a maliciously crafted URI to the CUPS service. This update addresses the issue by ensuring that the destination buffer is sized to contain the data. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Dave Camp at Critical Path Software for reporting this issue.

CUPS

CVE-ID: CVE-2007-4351

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution.

Description: A memory corruption issue exists in the handling of Internet Printing Protocol (IPP) tags, which may allow a remote attacker to cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CUPS

CVE-ID: CVE-2007-5849

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: If SNMP is enabled, a remote attacker may cause an unexpected application termination or arbitrary code execution.

Description: The CUPS backend SNMP program broadcasts SNMP requests to discover network print servers. A stack buffer overflow may result from an integer underflow in the handling of SNMP responses. If SNMP is enabled, a remote attacker may exploit this issue by sending a maliciously crafted SNMP response, which may cause an application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SNMP responses. This issue does not affect systems prior to Mac OS X 10.5. Credit to Wei Wang of McAfee Avert Labs for reporting this issue.

Desktop Services

CVE-ID: CVE-2007-5850

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Opening a directory containing a maliciously-crafted .DS_Store file in Finder may lead to arbitrary code execution.

Description: A heap buffer overflow exists in Desktop Services. By enticing a user to open a directory containing a maliciously crafted .DS_Store file, an attacker may cause arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X 10.5 or later.

Flash Player Plug-in

CVE-ID: CVE-2007-5476

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Multiple vulnerabilities in Adobe Flash Player Plug-in

Description: Multiple input validation issues exit in Adobe Flash Player Plug-in which may lead to arbitrary code execution. This update addresses the issue by updating Adobe Flash Player to version 9.0.115.0. Further information is available via the Adobe site at http://www.adobe.com/support/security/bulletins/apsb07-20.html. Credit to Opera Software for reporting this issue.

GNU Tar

CVE-ID: CVE-2007-4131

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Extracting a maliciously crafted tar archive could overwrite arbitrary files.

Description: A directory traversal issue exists in GNU Tar. By enticing a local user to extract a maliciously crafted tar archive, an attacker may cause arbitrary files to be overwritten. This issue has been addressed by performing additional validation of tar files. This issue does not affect systems running Mac OS X 10.5 or later.

iChat

CVE-ID: CVE-2007-5851

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A person on the local network may initiate a video connection without the user's approval.

Description: An attacker on the local network may initiate a video conference with a user without the user's approval. This update addresses the issue by requiring user interaction to initiate a video conference. This issue does not affect systems running Mac OS X 10.5 or later.

IO Storage Family

CVE-ID: CVE-2007-5853

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution.

Description: A memory corruption issue exists in the handling of GUID partition maps within a disk image. By enticing a user to open a maliciously crafted disk image, an attacker may cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue through additional validation of GUID partition maps. This issue does not affect systems running Mac OS X 10.5 or later.

Launch Services

CVE-ID: CVE-2007-5854

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Opening a maliciously crafted HTML file may lead to information disclosure or cross-site scripting.

Description: Launch Services does not handle HTML files as potentially unsafe content. By enticing a user to open a maliciously crafted HTML file, an attacker may cause the disclosure of sensitive information or cross-site scripting. This update addresses the issue by handling HTML files as potentially unsafe content. Credit to Michal Zalewski of Google Inc. for reporting this issue.

Launch Services

CVE-ID: CVE-2007-6165

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Opening an executable mail attachment may lead to arbitrary code execution with no warning.

Description: An implementation issue exists in Launch Services, which may allow executable mail attachments to be run without warning when a user opens a mail attachment. This update addresses the issue by warning the user before launching executable mail attachments. This issue does not affect systems prior to Mac OS X 10.5. Credit to Xeno Kovah for reporting this issue.

Mail

CVE-ID: CVE-2007-5855

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: SMTP accounts set up through Account Assistant may use plaintext authentication even when MD5 Challenge-Response authentication is available.

Description: When setting up an SMTP account through Account Assistant, if SMTP authentication is selected, and if the server supports only MD5 Challenge-Response authentication and plaintext authentication, Mail defaults to using plaintext authentication. This update addresses the issue by ensuring that the most secure available mechanism is used. This issue does not affect systems running Mac OS X 10.5 or later.

perl

CVE-ID: CVE-2007-5116

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Parsing regular expressions may lead to arbitrary code execution.

Description: A length calculation issue exists in the polymorphic opcode support in the Perl Regular Expression compiler. This may allow an attacker to cause memory corruption leading to arbitrary code execution by switching from byte to Unicode (UTF) characters in a regular expression. This update addresses the issue by recomputing the length if the character encoding changes. Credit to Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.

python

CVE-ID: CVE-2007-4965

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Processing image content with imageop module may lead to an unexpected application termination or arbitrary code execution.

Description: Multiple integer overflows exist in python's imageop module. These may cause a buffer overflow to occur in applications which use the module to process maliciously crafted image content. This may lead to an unexpected application termination or arbitrary code execution. This updated addresses the issue by performing additional validation of image content.

Quick Look

CVE-ID: CVE-2007-5856

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Previewing a file with QuickLook enabled may lead to the disclosure of sensitive information.

Description: When previewing an HTML file, plug-ins are not restricted from making network requests. This may lead to the disclosure of sensitive information. This update addresses the issue by disabling plug-ins. This issue does not affect systems prior to Mac OS X 10.5.

Quick Look

CVE-ID: CVE-2007-5857

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Previewing a movie file may access URLs contained in the movie.

Description: Creating an icon for a movie file, or previewing that file using QuickLook may access URLs contained in the movie. This update addresses the issue by disabling HREFTrack while browsing movie files. This issue does not affect systems prior to Mac OS X 10.5, or systems with QuickTime 7.3 installed. Credit to Lukhnos D. Liu of Lithoglyph Inc. for reporting this issue.

ruby

CVE-ID: CVE-2007-5770

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Multiple SSL certificate validation issues exist in ruby libraries.

Description: Multiple ruby libraries are affected by SSL certificate validation issues. This may lead to man-in-the-middle attacks against applications that use an affected library. This update addresses the issues by applying the ruby patch.

ruby

CVE-ID: CVE-2007-5379, CVE-2007-5380, CVE-2007-6077

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Multiple vulnerabilities exist in Rails 1.2.3

Description: Multiple vulnerabilities exist in Rails 1.2.3, which may lead to the disclosure of sensitive information. This update addresses the issue by updating Rails to version 1.2.6. This issue does not affect systems prior to Mac OS X 10.5.

Safari

CVE-ID: CVE-2007-5858

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Visiting a malicious website may result in the disclosure of sensitive information.

Description: WebKit allows a page to navigate the subframes of any other page. Visiting a maliciously crafted web page could trigger a cross-site scripting attack, which may lead to the disclosure of sensitive information. This update addresses the issue by implementing a stricter frame navigation policy.

Safari RSS

CVE-ID: CVE-2007-5859

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Accessing a maliciously crafted feed: URL may lead to an application termination or arbitrary code execution.

Description: A memory corruption issue exists in Safari's handling of feed: URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of feed: URLs and providing an error message in case of an invalid URL. This issue does not affect systems running Mac OS X 10.5 or later.

Samba

CVE-ID: CVE-2007-4572, CVE-2007-5398

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Multiple vulnerabilities in Samba

Description: Multiple vulnerabilities exist in Samba, the most serious of which is remote code execution. This update addresses the issues by applying patches from the Samba project. Further information is available via the Samba web site at http://www.samba.org/samba/history/security.html CVE-2007-4138 does not affect systems prior to Mac OS X 10.5. Credit to Alin Rad Pop of Secunia Research for reporting this issue.

Shockwave Plug-in

CVE-ID: CVE-2006-0024

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Opening maliciously crafted Shockwave content may lead to arbitrary code execution.

Description: Multiple vulnerabilities exist in Shockwave Player. By enticing a user to open maliciously crafted Shockwave content, an attacker may cause arbitrary code execution. This update addresses the issues by updating Shockwave Player to version 10.1.1.016. Credit to Jan Hacker of ETH Zurich for reporting the problem in Shockwave.

SMB

CVE-ID: CVE-2007-3876

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local user may be able to execute arbitrary code with system privileges.

Description: A stack buffer overflow issue exists in the code used by the mount_smbfs and smbutil applications to parse command line arguments, which may allow a local user to cause arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Sean Larsson of VeriSign iDefense Labs for reporting this issue.

Software Update

CVE-ID: CVE-2007-5863

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: A man-in-the-middle attack could cause Software Update to execute arbitrary commands.

Description: When Software Update checks for new updates, it processes a distribution definition file which was sent by the update server. By intercepting requests to the update server, an attacker can provide a maliciously crafted distribution definition file with the "allow-external-scripts" option, which may cause arbitrary command execution when a system checks for new updates. This update addresses the issue by disallowing the "allow-external-scripts" option in Software Update. This issue does not affect systems prior to Mac OS X 10.5. Credit to Moritz Jodeit for reporting this issue.

Spin Tracer

CVE-ID: CVE-2007-5860

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: A local user may be able to execute arbitrary code with system privileges.

Description: An insecure file operation exists in SpinTracer's handling of output files, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved handling of output files. This issue does not affect systems prior to Mac OS X 10.5. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.

Spotlight

CVE-ID: CVE-2007-5861

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Downloading a maliciously crafted .xls file may lead to an unexpected application termination or arbitrary code execution.

Description: A memory corruption issue exists in the Microsoft Office Spotlight Importer. By enticing a user to download a maliciously crafted .xls file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of .xls files. This issue does not affect systems running Mac OS X 10.5 or later.

tcpdump

CVE-ID: CVE-2007-1218, CVE-2007-3798

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Multiple vulnerabilities in tcpdump

Description: Multiple vulnerabilities exist in tcpdump, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating tcpdump to version 3.9.7. This issue does not affect systems running Mac OS X 10.5 or later.

XQuery

CVE-ID: CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Multiple vulnerabilities in the handling of regular expressions.

Description: Multiple vulnerabilities exist in the Perl Compatible Regular Expressions (PCRE) library used by XQuery, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating PCRE to version 7.3. Further information is available via the PCRE web site at http://www.pcre.org/. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.