About Security Update 2007-009

This document describes Security Update 2007-009, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Security Update 2007-009

  • Address Book

    CVE-ID: CVE-2007-4708

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A format string vulnerability exists in Address Book's URL handler. By enticing a user to visit a maliciously crafted website, a remote attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings. This issue does not affect systems running Mac OS X 10.5 or later.

  • CFNetwork

    CVE-ID: CVE-2007-4709

    Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Visiting a malicious website could allow the automatic download of files to arbitrary folders to which the user has write permission

    Description: A path traversal issue exists in CFNetwork's handling of downloaded files. By enticing a user to visit a malicious website, an attacker may cause the automatic download of files to arbitrary folders to which the user has write permission. This update addresses the issue through improved processing of HTTP responses. This issue does not affect systems prior to Mac OS X 10.5. Credit to Sean Harding for reporting this issue.

  • ColorSync

    CVE-ID: CVE-2007-4710

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in the handling of images with an embedded ColorSync profile. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of images. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Tom Ferris of Adobe Secure Software Engineering Team (ASSET) for reporting this issue.

  • Core Foundation

    CVE-ID: CVE-2007-5847

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Usage of CFURLWriteDataAndPropertiesToResource API may lead to the disclosure of sensitive information

    Description: A race condition exists in the CFURLWriteDataAndPropertiesToResource API, which may cause files to be created with insecure permissions. This may lead to the disclosure of sensitive information. This update addresses the issue through improved file handling. This issue does not affect systems running Mac OS X 10.5 or later.

  • CUPS

    CVE-ID: CVE-2007-5848

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: A local admin user may be able to gain system privileges

    Description: A buffer overflow issue exists in the printer driver for CUPS. This may allow a local admin user to gain system privileges by passing a maliciously crafted URI to the CUPS service. This update addresses the issue by ensuring that the destination buffer is sized to contain the data. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Dave Camp at Critical Path Software for reporting this issue.

  • CUPS

    CVE-ID: CVE-2007-4351

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in the handling of Internet Printing Protocol (IPP) tags, which may allow a remote attacker to cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

  • CUPS

    CVE-ID: CVE-2007-5849

    Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: If SNMP is enabled, a remote attacker may cause an unexpected application termination or arbitrary code execution

    Description: The CUPS backend SNMP program broadcasts SNMP requests to discover network print servers. A stack buffer overflow may result from an integer underflow in the handling of SNMP responses. If SNMP is enabled, a remote attacker may exploit this issue by sending a maliciously crafted SNMP response, which may cause an application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SNMP responses. This issue does not affect systems prior to Mac OS X 10.5. Credit to Wei Wang of McAfee Avert Labs for reporting this issue.

  • Desktop Services

    CVE-ID: CVE-2007-5850

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Opening a directory containing a maliciously-crafted .DS_Store file in Finder may lead to arbitrary code execution

    Description: A heap buffer overflow exists in Desktop Services. By enticing a user to open a directory containing a maliciously crafted .DS_Store file, an attacker may cause arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X 10.5 or later.

  • Flash Player Plug-in

    CVE-ID: CVE-2007-5476

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Multiple vulnerabilities in Adobe Flash Player Plug-in

    Description: Multiple input validation issues exit in Adobe Flash Player Plug-in which may lead to arbitrary code execution. This update addresses the issue by updating Adobe Flash Player to version 9.0.115.0. Further information is available via the Adobe site at http://www.adobe.com/support/security/bulletins/apsb07-20.html Credit to Opera Software for reporting this issue.

  • GNU Tar

    CVE-ID: CVE-2007-4131

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Extracting a maliciously crafted tar archive could overwrite arbitrary files

    Description: A directory traversal issue exists in GNU Tar. By enticing a local user to extract a maliciously crafted tar archive, an attacker may cause arbitrary files to be overwritten. This issue has been addressed by performing additional validation of tar files. This issue does not affect systems running Mac OS X 10.5 or later.

  • iChat

    CVE-ID: CVE-2007-5851

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: A person on the local network may initiate a video connection without the user's approval

    Description: An attacker on the local network may initiate a video conference with a user without the user's approval. This update addresses the issue by requiring user interaction to initiate a video conference. This issue does not affect systems running Mac OS X 10.5 or later.

  • IO Storage Family

    CVE-ID: CVE-2007-5853

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution

    Description: A memory corruption issue exists in the handling of GUID partition maps within a disk image. By enticing a user to open a maliciously crafted disk image, an attacker may cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue through additional validation of GUID partition maps. This issue does not affect systems running Mac OS X 10.5 or later.

  • Launch Services

    CVE-ID: CVE-2007-5854

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Opening a maliciously crafted HTML file may lead to information disclosure or cross-site scripting

    Description: Launch Services does not handle HTML files as potentially unsafe content. By enticing a user to open a maliciously crafted HTML file, an attacker may cause the disclosure of sensitive information or cross-site scripting. This update addresses the issue by handling HTML files as potentially unsafe content. Credit to Michal Zalewski of Google Inc. for reporting this issue.

  • Launch Services

    CVE-ID: CVE-2007-6165

    Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Opening an executable mail attachment may lead to arbitrary code execution with no warning

    Description: An implementation issue exists in Launch Services, which may allow executable mail attachments to be run without warning when a user opens a mail attachment. This update addresses the issue by warning the user before launching executable mail attachments. This issue does not affect systems prior to Mac OS X 10.5. Credit to Xeno Kovah for reporting this issue.

  • Mail

    CVE-ID: CVE-2007-5855

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: SMTP accounts set up through Account Assistant may use plaintext authentication even when MD5 Challenge-Response authentication is available

    Description: When setting up an SMTP account through Account Assistant, if SMTP authentication is selected, and if the server supports only MD5 Challenge-Response authentication and plaintext authentication, Mail defaults to using plaintext authentication. This update addresses the issue by ensuring that the most secure available mechanism is used. This issue does not affect systems running Mac OS X 10.5 or later.

  • perl

    CVE-ID: CVE-2007-5116

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Parsing regular expressions may lead to arbitrary code execution

    Description: A length calculation issue exists in the polymorphic opcode support in the Perl Regular Expression compiler. This may allow an attacker to cause memory corruption leading to arbitrary code execution by switching from byte to Unicode (UTF) characters in a regular expression. This update addresses the issue by recomputing the length if the character encoding changes. Credit to Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.

  • python

    CVE-ID: CVE-2007-4965

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Processing image content with imageop module may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple integer overflows exist in python's imageop module. These may cause a buffer overflow to occur in applications which use the module to process maliciously crafted image content. This may lead to an unexpected application termination or arbitrary code execution. This updated addresses the issue by performing additional validation of image content.

  • Quick Look

    CVE-ID: CVE-2007-5856

    Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Previewing a file with QuickLook enabled may lead to the disclosure of sensitive information

    Description: When previewing an HTML file, plug-ins are not restricted from making network requests. This may lead to the disclosure of sensitive information. This update addresses the issue by disabling plug-ins. This issue does not affect systems prior to Mac OS X 10.5.

  • Quick Look

    CVE-ID: CVE-2007-5857

    Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Previewing a movie file may access URLs contained in the movie

    Description: Creating an icon for a movie file, or previewing that file using QuickLook may access URLs contained in the movie. This update addresses the issue by disabling HREFTrack while browsing movie files. This issue does not affect systems prior to Mac OS X 10.5, or systems with QuickTime 7.3 installed. Credit to Lukhnos D. Liu of Lithoglyph Inc. for reporting this issue.

  • ruby

    CVE-ID: CVE-2007-5770

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Multiple SSL certificate validation issues exist in ruby libraries

    Description: Multiple ruby libraries are affected by SSL certificate validation issues. This may lead to man-in-the-middle attacks against applications that use an affected library. This update addresses the issues by applying the ruby patch.

  • ruby

    CVE-ID: CVE-2007-5379, CVE-2007-5380, CVE-2007-6077

    Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Multiple vulnerabilities exist in Rails 1.2.3

    Description: Multiple vulnerabilities exist in Rails 1.2.3, which may lead to the disclosure of sensitive information. This update addresses the issue by updating Rails to version 1.2.6. This issue does not affect systems prior to Mac OS X 10.5.

  • Safari

    CVE-ID: CVE-2007-5858

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Visiting a malicious website may result in the disclosure of sensitive information

    Description: WebKit allows a page to navigate the subframes of any other page. Visiting a maliciously crafted web page could trigger a cross-site scripting attack, which may lead to the disclosure of sensitive information. This update addresses the issue by implementing a stricter frame navigation policy.

  • Safari RSS

    CVE-ID: CVE-2007-5859

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Accessing a maliciously crafted feed: URL may lead to an application termination or arbitrary code execution

    Description: A memory corruption issue exists in Safari's handling of feed: URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of feed: URLs and providing an error message in case of an invalid URL. This issue does not affect systems running Mac OS X 10.5 or later.

  • Samba

    CVE-ID: CVE-2007-4572, CVE-2007-5398

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Multiple vulnerabilities in Samba

    Description: Multiple vulnerabilities exist in Samba, the most serious of which is remote code execution. This update addresses the issues by applying patches from the Samba project. Further information is available via the Samba web site at http://www.samba.org/samba/history/security.html CVE-2007-4138 does not affect systems prior to Mac OS X 10.5. Credit to Alin Rad Pop of Secunia Research for reporting this issue.

  • Shockwave Plug-in

    CVE-ID: CVE-2006-0024

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: Opening maliciously crafted Shockwave content may lead to arbitrary code execution

    Description: Multiple vulnerabilities exist in Shockwave Player. By enticing a user to open maliciously crafted Shockwave content, an attacker may cause arbitrary code execution. This update addresses the issues by updating Shockwave Player to version 10.1.1.016. Credit to Jan Hacker of ETH Zurich for reporting the problem in Shockwave.

  • SMB

    CVE-ID: CVE-2007-3876

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: A local user may be able to execute arbitrary code with system privileges

    Description: A stack buffer overflow issue exists in the code used by the mount_smbfs and smbutil applications to parse command line arguments, which may allow a local user to cause arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Sean Larsson of VeriSign iDefense Labs for reporting this issue.

  • Software Update

    CVE-ID: CVE-2007-5863

    Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: A man-in-the-middle attack could cause Software Update to execute arbitrary commands

    Description: When Software Update checks for new updates, it processes a distribution definition file which was sent by the update server. By intercepting requests to the update server, an attacker can provide a maliciously crafted distribution definition file with the "allow-external-scripts" option, which may cause arbitrary command execution when a system checks for new updates. This update addresses the issue by disallowing the "allow-external-scripts" option in Software Update. This issue does not affect systems prior to Mac OS X 10.5. Credit to Moritz Jodeit for reporting this issue.

  • Spin Tracer

    CVE-ID: CVE-2007-5860

    Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

    Impact: A local user may be able to execute arbitrary code with system privileges

    Description: An insecure file operation exists in SpinTracer's handling of output files, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved handling of output files. This issue does not affect systems prior to Mac OS X 10.5. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.

  • Spotlight

    CVE-ID: CVE-2007-5861

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Downloading a maliciously crafted .xls file may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in the Microsoft Office Spotlight Importer. By enticing a user to download a maliciously crafted .xls file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of .xls files. This issue does not affect systems running Mac OS X 10.5 or later.

  • tcpdump

    CVE-ID: CVE-2007-1218, CVE-2007-3798

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Multiple vulnerabilities in tcpdump

    Description: Multiple vulnerabilities exist in tcpdump, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating tcpdump to version 3.9.7. This issue does not affect systems running Mac OS X 10.5 or later.

  • XQuery

    CVE-ID: CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Multiple vulnerabilities in the handling of regular expressions

    Description: Multiple vulnerabilities exist in the Perl Compatible Regular Expressions (PCRE) library used by XQuery, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating PCRE to version 7.3. Further information is available via the PCRE web site at http://www.pcre.org/ This issue does not affect systems running Mac OS X 10.5 or later. Credit to Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.
Published Date: