About Security Update 2009-005

This document describes Security Update 2009-005.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To find out more about other Security Updates, see "Apple Security Updates".

Security Update 2009-005

  • Alias Manager

    CVE-ID: CVE-2009-2800

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: opening a maliciously crafted alias file may lead to an unexpected application termination or arbitrary code execution

    Description: a buffer overflow exists in the handling of alias files. Opening a maliciously crafted alias file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

  • CarbonCore

    CVE-ID: CVE-2009-2803

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: opening a file with a maliciously crafted resource fork may lead to an unexpected application termination or arbitrary code execution

    Description: a memory corruption issue exists in the Resource Manager’s handling of resource forks. Opening a file with a maliciously crafted resource fork may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of resource forks. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

  • ClamAV

    CVE-ID: CVE-2009-1241, CVE-2009-1270, CVE-2008-6680, CVE-2009-1371, CVE-2009-1372

    Available for: Mac OS X Server v10.5.8

    Impact: multiple vulnerabilities in ClamAV 0.94.2

    Description: multiple vulnerabilities exist in ClamAV 0.94.2, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.95.2. ClamAV is only distributed with Mac OS X Server systems. Further information is available via the ClamAV website at http://www.clamav.net/ These issues do not affect Mac OS X v10.6 systems.

  • ColorSync

    CVE-ID: CVE-2009-2804

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution

    Description: an integer overflow exists in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ColorSync profiles. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

  • CoreGraphics

    CVE-ID: CVE-2009-2805

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

    Description: an integer overflow in CoreGraphics’ handling of PDF files may result in a heap buffer overflow. Opening a PDF file containing a maliciously crafted JBIG2 stream may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Will Dormann of CERT/CC for reporting this issue. This issue does not affect Mac OS X v10.6 systems.

  • CoreGraphics

    CVE-ID: CVE-2009-2468

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: a heap buffer overflow exists in the drawing of long text strings. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X v10.6 systems. Credit to Will Drewry of Google Inc. for reporting this issue.

  • CUPS

    CVE-ID: CVE-2009-0949

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: a remote attacker may be able to deny access to the Printer Sharing service

    Description: a null pointer dereference exists in CUPS. By repeatedly sending maliciously crafted scheduler requests, a remote attacker may be able to deny access to the Printer Sharing service. This update addresses the issue through improved validation of scheduler requests. This issue does not affect Mac OS X v10.6 systems. Credit to Anibal Sacco of the CORE IMPACT Exploit Writing Team (EWT) at Core Security Technologies for reporting this issue.

  • CUPS

    CVE-ID: CVE-2009-2807

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: an unprivileged local user may be able to obtain system privileges

    Description: a heap buffer overflow exists in the CUPS USB backend. This may allow a local user to obtain system privileges. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5, or Mac OS X v10.6 systems.

  • Flash Player plug-in

    CVE-ID: CVE-2009-1862, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: multiple vulnerabilities in Adobe Flash Player plug-in

    Description: multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted website. The issues are addressed by updating the Flash Player plug-in on Mac OS v10.5.8 to version 10.0.32.18, and to version 9.0.246.0 on Mac OS X v10.4.11 systems. For Mac OS X v10.6 systems, these issues are addressed in Mac OS X v10.6.1. Further information is available via the Adobe website at http://www.adobe.com/support/security/bulletins/apsb09-10.html

  • ImageIO

    CVE-ID: CVE-2009-2809

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: viewing a maliciously crafted PixarFilm encoded TIFF image may lead to an unexpected application termination or arbitrary code execution

    Description: multiple memory corruption issues exist in ImageIO’s handling of PixarFilm encoded TIFF images. Viewing a maliciously crafted PixarFilm encoded TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of PixarFilm encoded TIFF images. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

  • Launch Services

    CVE-ID: CVE-2009-2811

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: attempting to open unsafe downloaded content may not lead to a warning

    Description: This update adds “.fileloc” to the system’s list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from an email. While these content types are not automatically opened, if manually opened they could lead to the execution of a malicious payload. This update improves the system’s ability to notify users before handling “.fileloc” files. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

  • Launch Services

    CVE-ID: CVE-2009-2812

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: visiting a malicious website may lead to arbitrary code execution

    Description: when an application is downloaded, Launch Services analyses its exported document types. A design issue in the handling of the exported document types may cause Launch Services to associate a safe file extension with an unsafe Uniform Type Identifier (UTI). Visiting a malicious website may cause an unsafe file type to be opened automatically. This update addresses the issue through improved handling of exported document types from untrusted applications. This issue does not affect systems prior to Mac OS X v10.5, or Mac OS X v10.6 systems. Credit: Apple.

  • MySQL

    CVE-ID: CVE-2008-2079

    Available for: Mac OS X Server v10.5.8

    Impact: MySQL is updated to version 5.0.82

    Description: MySQL is updated to version 5.0.82 to address an implementation issue that allows a local user to obtain elevated privileges. This issue only affects Mac OS X Server systems. This issue does not affect Mac OS X v10.6 systems. Further information is available via the MySQL website at http://dev.mysql.com/doc/refman/5.0/en/news-5-0-82.html

  • PHP

    CVE-ID: CVE-2009-1271, CVE-2009-1272, CVE-2008-5498

    Available for: Mac OS X v10.5, Mac OS X Server v10.5.8

    Impact: multiple vulnerabilities in PHP 5.2.8

    Description: PHP is updated to version 5.2.10 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ These issues do not affect Mac OS X v10.6 systems.

  • SMB

    CVE-ID: CVE-2009-2813

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: enabling Windows File Sharing may share folders unexpectedly

    Description: an unchecked error condition exists in Samba. A user who does not have a configured home directory, and connects to the Windows File Sharing service, will be able to access the contents of the file system, subject to local file system permissions. This update addresses the issue by improving the handling of path resolution errors. This issue does not affect systems prior to Mac OS X v10.5, or Mac OS X v10.6 systems. Credit to J. David Hester of LCG Systems National Institutes of Health for reporting this issue.

  • Wiki Server

    CVE-ID: CVE-2009-2814

    Available for: Mac OS X Server v10.5.8

    Impact: a remote attacker may gain access to Wiki Server user accounts

    Description: a cross-site scripting issue exists in the Wiki Server’s handling of search requests containing non-UTF-8 encoded data. This may allow a remote attacker to access a Wiki server with the credentials of the Wiki Server user performing the search. This update addresses the issue by setting UTF-8 as the default character set in HTTP responses. This issue does not affect systems prior to Mac OS X v10.5, or Mac OS X v10.6 systems. Credit: Apple.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple only provides this as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

Published Date: