Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Mac OS X Bugs Let Remote Users Access Data and Execute Arbitrary Code and Local Users Gain System Privileges
|
|
SecurityTracker Alert ID: 1023766 |
|
SecurityTracker URL: http://securitytracker.com/id/1023766
|
|
CVE Reference:
CVE-2009-2801, CVE-2010-0055, CVE-2010-0056, CVE-2010-0059, CVE-2010-0060, CVE-2010-0063, CVE-2010-0064, CVE-2010-0065, CVE-2010-0497, CVE-2010-0498, CVE-2010-0500, CVE-2010-0501, CVE-2010-0505, CVE-2010-0506, CVE-2010-0507, CVE-2010-0509, CVE-2010-0510, CVE-2010-0511, CVE-2010-0512, CVE-2010-0513, CVE-2010-0521, CVE-2010-0522, CVE-2010-0523, CVE-2010-0534, CVE-2010-0537
(Links to External Site)
|
Date: Mar 30 2010
|
Impact:
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Host/resource access via network, Root access via local system, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 10.6.2 and prior versions
|
Description:
Multiple vulnerabilities were reported in Mac OS X. A remote user can cause arbitrary code to be executed on the target user's system. A user may be able to bypass application firewall rules. A remote user can obtain data from the target user's system. A local user can obtain elevated privileges. A local user can download files from the target system.
Certain Application Firewall rules may become inactive after the system is rebooted due to a timing issue [CVE-2009-2801]. Systems prior to version 10.6 are not affected. Michael Kisor of OrganicOrb.com reported this vulnerability.
A remote user can create a specially crafted xar package that appears to be a valid signed package but is not [CVE-2010-0055]. Systems prior to version 10.6 are not affected.
A remote user can create a specially crafted document that, when spell checked by the target user, will trigger a buffer overflow in the spell checking feature used by Cocoa applications and potentially execute arbitrary code [CVE-2010-0056]. Systems prior to version 10.6 are not affected.
A remote user can create specially crafted QDM2-encoded audio content that, when played by the target user, will trigger a memory corruption error and execute arbitrary code [CVE-2010-0059]. An anonymous researcher reported this vulnerability via TippingPoint's Zero Day Initiative.
A remote user can create specially crafted QDMC-encoded audio content that, when played by the target user, will trigger a memory corruption error and execute arbitrary code [CVE-2010-0060]. An anonymous researcher reported this vulnerability via TippingPoint's Zero Day Initiative.
A remote user can create content that, when downloaded from a web site by the target user, will not be flagged as potentially unsafe [CVE-2010-0063]. '.ibplugin' and '.url' content types are affected. Clint Ruoho of Laconic Security reported this vulnerability.
When an item is copied in the Finder, the original file ownership may applied to the copied version [CVE-2010-0064]. Systems prior to version 10.6 are not affected. Gerrit DeWitt of Auburn University reported this vulnerability.
A remote user can create a specially crafted bzip2-compressed disk image that, when mounted by the target user, will trigger a memory corruption error and execute arbitrary code [CVE-2010-0065].
A remote user can create a specially crafted Internet-enabled disk image that, when mounted by the target user, will open a package file type instead of displaying it in the Finder [CVE-2010-0497]. Brian Mastenbrook reported this vulnerability via TippingPoint's Zero Day Initiative.
A local user can exploit a flaw in Directory Services in the processing of record names to obtain system privileges [CVE-2010-0498].
A remote user can exploit a flaw in the Event Monitor to inject DNS names into the firewall blacklist plist [CVE-2010-0500].
A remote authenticated user can exploit a directory traversal flaw in the FTP server to gain read access to files located outside of the FTP root directory [CVE-2010-0501]. Only Mac OS X Server systems are affected.
A remote user can create a specially crafted JP2 image that, when viewed by the target user, will trigger a heap overflow and execute arbitrary code [CVE-2010-0505]. Chris Ries of Carnegie Mellon University Computing Service reported this vulnerability and "85319bb6e6ab398b334509c50afce5259d42756e" reported this vulnerability via TippingPoint's Zero Day Initiative.
A remote user can create a specially crafted NEF image that, when viewed by the target user, will trigger a buffer overflow and execute arbitrary code [CVE-2010-0506]. Version 10.6 and later are not affected.
A remote user can create a specially crafted PEF image that, when viewed by the target user, will trigger a buffer overflow and execute arbitrary code [CVE-2010-0507]. Version 10.6 and later are not affected. Chris Ries of Carnegie Mellon University Computing Services reported this vulnerability.
A local user can exploit a flaw in SFLServer (which runs with 'wheel' group privileges) to gain elevated privileges on the target system [CVE-2010-0509]. Kevin Finisterre of DigitalMunition reported this vulnerability.
Password Server may fail to replicate passwords. A remote user may be able to use a previously valid but outdated password to access the target user's account [CVE-2010-0510]. Only Mac OS X Server systems are affected. Jack Johnson of Anchorage School District reported this vulnerability.
When a Podcast Composer workflow is overwritten, the access restrictions are removed [CVE-2010-0511]. A user may be able to access the workflow.
A remote network account user may be able to bypass system login restrictions [CVE-2010-0512]. Accounts permitted to login at the Login Window that are identified by group membership only are not subject to restrictions. Systems prior to version 10.6 are not affected. Christopher D. Grieb of University of Michigan MSIS reported this vulnerability.
A remote user can create a specially crafted PostScript file that, when viewed by the target user, will trigger stack overflow and execute arbitrary code on the target user's system [CVE-2010-0513].
A remote user may be able to obtain potentially sensitive information from Open Directory [CVE-2010-0521]. Only Mac OS X Server systems are affected. Scott Gruby of Gruby Solutions and Mathias Haack of GRAVIS Computervertriebsgesellschaft mbH reported this vulnerability.
A remote user that has been removed from the 'admin' group may be able to connect to the target server via screen sharing [CVE-2010-0522]. Version 10.6 and later are not affected.
A remote user can upload a specially crafted applet. When the target Wiki Server user views the applet, the remote user may be able to obtain potentially sensitive information [CVE-2010-0523]. Only Mac OS X Server systems are affected. Version 10.6 and later are not affected.
A remote authenticated user can bypass Wiki Server weblog creation service access control list restrictions to publish content on the target server [CVE-2010-0534]. Systems prior to version 10.6 are not affected.
A remote user can exploit a path resolution flaw in DesktopServics to access user data on the target system [CVE-2010-0537]. When the target user mounts a share, then saves a file via the default save panel in an application, and then uses the 'Go to Folder' feature or drags folders to the save panel, the target file may be saved to the mounted share. Systems prior to version 10.6 are not affected. Sidney San Martin reported this vulnerability via DeepTech, Inc.
|
Impact:
A remote user can cause arbitrary code to be executed on the target user's system.
A user may be able to bypass application firewall rules.
A remote user can obtain data from the target user's system.
A local user can obtain elevated privileges.
A local user can download files from the target system.
|
Solution:
The vendor has issued a fix as part of Security Update 2010-002 / Mac OS X v10.6.3, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2010-002 or Mac OS X v10.6.3.
For Mac OS X v10.6.2
The download file is named: MacOSXUpd10.6.3.dmg
Its SHA-1 digest is: d3a310c02fcd8199fe55b11c801659974b3d3ab3
For Mac OS X v10.6 and v10.6.1
The download file is named: MacOSXUpdCombo10.6.3.dmg
Its SHA-1 digest is: 72c12635cf83ab6fe028ddf81b0af7357853f736
For Mac OS X Server v10.6.2
The download file is named: MacOSXServerUpd10.6.3.dmg
Its SHA-1 digest is: 7375540ba74774a93551c0a2281b3f661bb57608
For Mac OS X Server v10.6 and v10.6.1
The download file is named: MacOSXServerUpdCombo10.6.3.dmg
Its SHA-1 digest is: 1c844309397f6cf54dc928a2fc57835865c0a768
For Mac OS X v10.5.8
The download file is named: SecUpd2010-002Leo.dmg
Its SHA-1 digest is: 4f5f212c09f8275a0593b826c226875d2a48e0a6
For Mac OS X Server v10.5.8
The download file is named: SecUpdSrvr2010-002Leo.dmg
Its SHA-1 digest is: 7a5f9d9580c98dcaf2a21bad4877bb16acf500b0
The vendor's advisory is available at:
http://support.apple.com/kb/HT4077
|
Vendor URL: support.apple.com/kb/HT4077 (Links to External Site)
|
Cause:
Access control error, Boundary error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 30 Mar 2010 01:56:53 +0000
Subject: Mac OS X
|
APPLE-SA-2010-03-29-1 Security Update 2010-002 / Mac OS X v10.6.3
Application Firewall
CVE-ID: CVE-2009-2801
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Certain rules in the Application Firewall may become
inactive after restart
Description: A timing issue in the Application Firewall may cause
certain rules to become inactive after reboot. The issue is addressed
through improved handling of Firewall rules. This issue does not
affect Mac OS X v10.6 systems. Credit to Michael Kisor of
OrganicOrb.com for reporting this issue.
xar
CVE-ID: CVE-2010-0055
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A modified package may appear as validly signed
Description: A design issue exists in xar when validating a package
signature. This may allow a modified package to appear as validly
signed. This issue is fixed through improved package signature
validation. This issue does not affect Mac OS X v10.6 systems.
Credit: Apple.
AppKit
CVE-ID: CVE-2010-0056
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Spell checking a maliciously crafted document may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the spell checking feature
used by Cocoa applications. Spell checking a maliciously crafted
document may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
bounds checking. This issue does not affect Mac OS X v10.6 systems.
Credit: Apple.
CoreAudio
CVE-ID: CVE-2010-0059
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
QDM2 encoded audio content. Playing maliciously crafted audio content
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit to an anonymous researcher working with TippingPoint's Zero
Day Initiative for reporting this issue.
CoreAudio
CVE-ID: CVE-2010-0060
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
QDMC encoded audio content. Playing maliciously crafted audio content
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit to an anonymous researcher working with TippingPoint's Zero
Day Initiative for reporting this issue.
CoreTypes
CVE-ID: CVE-2010-0063
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Users are not warned before opening certain potentially
unsafe content types
Description: This update adds .ibplugin and .url to the system's
list of content types that will be flagged as potentially unsafe
under certain circumstances, such as when they are downloaded from a
web page. While these content types are not automatically launched,
if manually opened they could lead to the execution of a malicious
JavaScript payload or arbitrary code execution. This update improves
the system's ability to notify users before handling content types
used by Safari. Credit to Clint Ruoho of Laconic Security for
reporting this issue.
DesktopServices
CVE-ID: CVE-2010-0064
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Items copied in the Finder may be assigned an unexpected
file owner
Description: When performing an authenticated copy in the Finder,
original file ownership may be unexpectedly copied. This update
addresses the issue by ensuring that copied files are owned by the
user performing the copy. This issue does not affect systems prior to
Mac OS X v10.6. Credit to Gerrit DeWitt of Auburn University (Auburn,
AL) for reporting this issue.
Disk Images
CVE-ID: CVE-2010-0065
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Mounting a maliciously crafted disk image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
bzip2 compressed disk images. Mounting a maliciously crafted disk
image may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed through improved bounds
checking. Credit: Apple.
Disk Images
CVE-ID: CVE-2010-0497
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Mounting a maliciously crafted disk image may lead to
arbitrary code execution
Description: A design issue exists in the handling of internet
enabled disk images. Mounting an internet enabled disk image
containing a package file type will open it rather than revealing it
in the Finder. This file quarantine feature helps to mitigate this
issue by providing a warning dialog for unsafe file types. This issue
is addressed through improved handling of package file types on
internet enabled disk images. Credit to Brian Mastenbrook working
with TippingPoint's Zero Day Initiative for reporting this issue.
Directory Services
CVE-ID: CVE-2010-0498
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A local user may obtain system privileges
Description: An authorization issue in Directory Services' handling
of record names may allow a local user to obtain system privileges.
This issue is addressed through improved authorization checks.
Credit: Apple.
Event Monitor
CVE-ID: CVE-2010-0500
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may cause arbitrary systems to be added to
the firewall blacklist
Description: A reverse DNS lookup is performed on remote ssh clients
that fail to authenticate. A plist injection issue exists in the
handling of resolved DNS names. This may allow a remote attacker to
cause arbitrary systems to be added to the firewall blacklist. This
issue is addressed by properly escaping resolved DNS names. Credit:
Apple.
FTP Server
CVE-ID: CVE-2010-0501
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: Users may be able to retrieve files outside the FTP root
directory
Description: A directory traversal issue exists in FTP Server. This
may allow a user to retrieve files outside the FTP root directory.
This issue is addressed through improved handling of file names. This
issue only affects Mac OS X Server systems. Credit: Apple.
ImageIO
CVE-ID: CVE-2010-0505
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of JP2
images. Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to Chris
Ries of Carnegie Mellon University Computing Service, and researcher
"85319bb6e6ab398b334509c50afce5259d42756e" working with
TippingPoint's Zero Day Initiative for reporting this issue.
Image RAW
CVE-ID: CVE-2010-0506
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Viewing a maliciously crafted NEF image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in Image RAW's handling of NEF
images. Viewing a maliciously crafted NEF image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. This issue does
not affect Mac OS X v10.6 systems. Credit: Apple.
Image RAW
CVE-ID: CVE-2010-0507
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted PEF image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in Image RAW's handling of PEF
images. Viewing a maliciously crafted PEF image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to Chris
Ries of Carnegie Mellon University Computing Services for reporting
this issue.
OS Services
CVE-ID: CVE-2010-0509
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A local user may be able to obtain elevated privileges
Description: A privilege escalation issue exists in SFLServer, as it
runs as group 'wheel' and accesses files in users' home directories.
This issue is addressed through improved privilege management. Credit
to Kevin Finisterre of DigitalMunition for reporting this issue.
Password Server
CVE-ID: CVE-2010-0510
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may be able to log in with an outdated
password
Description: An implementation issue in Password Server's handling
of replication may cause passwords to not be replicated. A remote
attacker may be able to log in to a system using an outdated
password. This issue is addressed through improved handling of
password replication. This issue only affects Mac OS X Server
systems. Credit to Jack Johnson of Anchorage School District for
reporting this issue.
Podcast Producer
CVE-ID: CVE-2010-0511
Available for: Mac OS X Server v10.6 through v10.6.2
Impact: An unauthorized user may be able to access a Podcast
Composer workflow
Description: When a Podcast Composer workflow is overwritten, the
access restrictions are removed. This may allow an unauthorized user
to access a Podcast Composer workflow. This issue is addressed
through improved handling of workflow access restrictions. Podcast
Composer was introduced in Mac OS X Server v10.6.
Preferences
CVE-ID: CVE-2010-0512
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: A network user may be able to bypass system login
restrictions
Description: An implementation issue exists in the handling of
system login restrictions for network accounts. If the network
accounts allowed to log in to the system at the Login Window are
identified by group membership only, the restriction will not be
enforced, and all network users will be allowed to log in to the
system. The issue is addressed through improved group restriction
management in the Accounts preference pane. This issue only affects
systems configured to use a network account server, and does not
affect systems prior to Mac OS X v10.6. Credit to Christopher D.
Grieb of University of Michigan MSIS for reporting this issue.
PS Normalizer
CVE-ID: CVE-2010-0513
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted PostScript file may lead to an
unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of
PostScript files. Viewing a maliciously crafted PostScript file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of PostScript files. On Mac OS X v10.6 systems this issue
is mitigated by the -fstack-protector compiler flag. Credit: Apple.
Server Admin
CVE-ID: CVE-2010-0521
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may extract information from Open
Directory
Description: A design issue exists in the handling of authenticated
directory binding. A remote attacker may be able to anonymously
extract information from Open Directory, even if the "Require
authenticated binding between directory and clients" option is
enabled. The issue is addressed by removing this configuration
option. This issue only affects Mac OS X Server systems. Credit to
Scott Gruby of Gruby Solutions, and Mathias Haack of GRAVIS
Computervertriebsgesellschaft mbH for reporting this issue.
Server Admin
CVE-ID: CVE-2010-0522
Available for: Mac OS X Server v10.5.8
Impact: A former administrator may have unauthorized access to
screen sharing
Description: A user who is removed from the 'admin' group may still
connect to the server using screen sharing. This issue is addressed
through improved handling of administrator privileges. This issue
only affects Mac OS X Server systems, and does not affect version
10.6 or later. Credit: Apple.
Wiki Server
CVE-ID: CVE-2010-0523
Available for: Mac OS X Server v10.5.8
Impact: Uploading a maliciously crafted applet may lead to the
disclosure of sensitive information
Description: Wiki Server allows users to upload active content such
as Java applets. A remote attacker may obtain sensitive information
by uploading a maliciously crafted applet and directing a Wiki Server
user to view it. The issue is addressed by restricting the file types
that may be uploaded to the Wiki Server. This issue only affects Mac
OS X Server systems, and does not affect versions 10.6 or later.
Wiki Server
CVE-ID: CVE-2010-0534
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: An authenticated user may bypass weblog creation
restrictions
Description: Wiki Server supports service access control lists
(SACLs), allowing an administrator to control the publication of
content. Wiki Server fails to consult the weblog SACL during the
creation of a user's weblog. This may allow an authenticated user to
publish content to the Wiki Server, even though publication should be
disallowed by the service ACL. This issue does not affect systems
prior to Mac OS X v10.6.
DesktopServices
CVE-ID: CVE-2010-0537
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may gain access to user data via a multi-
stage attack
Description: A path resolution issue in DesktopServices is
vulnerable to a multi-stage attack. A remote attacker must first
entice the user to mount an arbitrarily named share, which may be
done via a URL scheme. When saving a file using the default save
panel in any application, and using "Go to folder" or dragging
folders to the save panel, the data may be unexpectedly saved to the
malicious share. This issue is addressed through improved path
resolution. This issue does not affect systems prior to Mac OS X
v10.6. Credit to Sidney San Martin working with DeepTech, Inc. for
reporting this issue.
|
|
Go to the Top of This SecurityTracker Archive Page
|
