SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   Mac OS X Vendors:   Apple Computer
Mac OS X Lets Remote Users Execute Arbitrary Code, Deny Service, and Obtain Information
SecurityTracker Alert ID:  1024723
SecurityTracker URL:  http://securitytracker.com/id/1024723
CVE Reference:   CVE-2010-0105, CVE-2010-1803, CVE-2010-1828, CVE-2010-1829, CVE-2010-1830, CVE-2010-1831, CVE-2010-1832, CVE-2010-1833, CVE-2010-1834, CVE-2010-1836, CVE-2010-1837, CVE-2010-1838, CVE-2010-1840, CVE-2010-1841, CVE-2010-1842, CVE-2010-1843, CVE-2010-1844, CVE-2010-1845, CVE-2010-1846, CVE-2010-1847, CVE-2010-2249, CVE-2010-3783, CVE-2010-3784, CVE-2010-3785, CVE-2010-3786, CVE-2010-3797, CVE-2010-3798   (Links to External Site)
Date:  Nov 11 2010
Impact:   Denial of service via local system, Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.5.8, 10.6.4
Description:   Multiple vulnerabilities were reported in Mac OS X. A remote or remote authenticated user can execute arbitrary code on the target system. A remote or local user can cause denial of service conditions. A remote user can obtain potentially sensitive information.

A remote user can trigger a null pointer dereference and cause the target AFP Server to shutdown [CVE-2010-1828].

A remote authenticated user can exploit a directory traversal flaw to create files and cause arbitrary code execution [CVE-2010-1829].

A remote user can determine the existence of an AFP share [CVE-2010-1830].

A remote user can trigger a buffer overflow in AppKit [CVE-2010-1842]. Jesse Ruderman of Mozilla Corporation reported this vulnerability.

A remote user can create a specially crafted font, document, disk image, or web page that, when loaded by the target user, will execute arbitrary code [CVE-2010-1811, CVE-2010-1831, CVE-2010-1832, CVE-2010-1833, CVE-2010-1797, CVE-2010-1752, CVE-2010-1834, CVE-2010-1836, CVE-2010-1837, CVE-2010-1841, CVE-2010-1844, CVE-2010-1845, CVE-2010-1846, CVE-2010-3785, CVE-2010-3786, CVE-2010-3798].

Marc Schoenefeld of Red Hat, Christoph Diehl of Mozilla, Matias Eissler and Anibal Sacco of Core Security Technologies, Laurent OUDOT of TEHTRI-Security, Neil Fryer of IT Security Geeks, Andrew Kiss, Tobias Klein via iDefense VCP, Steven Fisher of Discovery Software Ltd., and Dominic Chell of NGSSoftware reported these vulnerabilities.

A local user can bypass the Directory Service password validation and login to a mobile account [CVE-2010-1838].

A remote user can trigger a stack buffer overflow in Directory Services in the validation of password data to execute arbitrary code [CVE-2010-1840]. Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT) and Rainer Mueller reported this vulnerability.

A local user can exploit a flaw in diskdev_cmds to prevent the system from starting properly [CVE-2010-0105]. Maksymilian Arciemowicz of SecurityReason reported this vulnerability.

A local user can exploit a flaw in the handling of terminal devices to trigger a memory management error and cause the system to shutdown [CVE-2010-1847].

A remote user can send specially crafted Protocol Independent Multicast (PIM) packets to trigger a null pointer dereference and cause the target system to shutdown [CVE-2010-1843]. An anonymous researcher reported this vulnerability via TippingPoint's Zero Day Initiative.

A remote attacker can login with an outdated password due to a Password Server replication flaw [CVE-2010-3783].

A remote user can send specially crafted XML data to applications using the PMPageFormatCreateWithDataRepresentation API to trigger a null dereference and cause the target application to crash [CVE-2010-3784]. Wujun Li of Microsoft reported this vulnerability.

A remote attacker can access a target user's Time Machine information [CVE-2010-1803].

A remote user that can edit wiki pages can inject javascript to obtain the credentials of a target user [CVE-2010-3797].

Impact:   A remote user or remote authenticated user can execute arbitrary code on the target system.

A remote or local user can cause denial of service conditions.

A local user can login to a mobile account.

A remote user can obtain Time Machine information.

A remote user can obtain a target user's Wiki Server credentials.

Solution:   Apple has issued a fix as part of Mac OS X v10.6.5 and Security Update 2010-007, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2010-007 or Mac OS X v10.6.5.

For Mac OS X v10.6.4
The download file is named: MacOSXUpd10.6.5.dmg
Its SHA-1 digest is: ccd856d0672394fd80c6873a8f43c6739708b44f

For Mac OS X v10.6 - v10.6.3
The download file is named: MacOSXUpdCombo10.6.5.dmg
Its SHA-1 digest is: add336a1af1c3914887d2217fbbc98b18e6fb57c

For Mac OS X Server v10.6.4
The download file is named: MacOSXServerUpd10.6.5.dmg
Its SHA-1 digest is: fc1158e9e526e387cd37d6ecea76ae1ecc284eeb

For Mac OS X Server v10.6 - v10.6.3
The download file is named: MacOSXServUpdCombo10.6.5.dmg
Its SHA-1 digest is: 1317084400ea9b11f44d30cf3723ce991346b360

For Mac OS X v10.5.8
The download file is named: SecUpd2010-007.dmg
Its SHA-1 digest is: 50ff8cb66104cd2a01b66677864619e0fbed4d98

For Mac OS X Server v10.5.8
The download file is named: SecUpdSrvr2010-007.dmg
Its SHA-1 digest is: e6e9ea9cf97ae02d78560dbce4c7c2620321b21b

The vendor's advisory is available at:

http://support.apple.com/kb/HT4435

Vendor URL:  support.apple.com/kb/HT4435 (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, State error
Underlying OS:  

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 23 2010 (Apple Issues Fix for Apple TV) Mac OS X Lets Remote Users Execute Arbitrary Code, Deny Service, and Obtain Information
Apple has issued a fix for Apple TV.
Jul 25 2011 (Apple Issues Fix for iWork) Mac OS X Lets Remote Users Execute Arbitrary Code, Deny Service, and Obtain Information   (Apple Product Security <product-security-noreply@lists.apple.com>)
Apple has issued a fix for Apple iWork.
Sep 21 2011 (VMware Issues Fix for Workstation/Player) Mac OS X Lets Remote Users Execute Arbitrary Code, Deny Service, and Obtain Information   (VMware Security Announcements <security-announce@lists.vmware.com>)
VMware has issued a fix for Workstation and Player.
Oct 13 2011 (Apple Issues Fix for Numbers for iOS) Mac OS X Lets Remote Users Execute Arbitrary Code, Deny Service, and Obtain Information   (Apple Product Security <product-security-noreply@lists.apple.com>)
Apple has issued a fix for Apple Numbers for iOS.



 Source Message Contents

Date:  Wed, 10 Nov 2010 23:43:32 +0000
Subject:  apple Mac os x



Subject: Mac OS X

APPLE-SA-2010-11-10-1 Mac OS X v10.6.5 and Security Update 2010-007

AFP Server
CVE-ID:  CVE-2010-1828
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  A remote attacker may cause AFP Server to unexpectedly
shutdown
Description:  A null pointer dereference exists in AFP Server's
handling of reconnect authentication packets. A remote attacker may
cause AFP Server to unexpectedly shutdown. Mac OS X automatically
restarts AFP Server after a shutdown. This issue is addressed through
improved validation of reconnect packets. Credit: Apple.

AFP Server
CVE-ID:  CVE-2010-1829
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  An authenticated user may cause arbitrary code execution
Description:  A directory traversal issue exists in AFP Server, which
may allow an authenticated user to create files outside of a share
with the permissions of the user. With a system configuration where
users are permitted file sharing access only, this may lead to
arbitrary code execution. This issue is addressed through improved
path validation. Credit: Apple.

AFP Server
CVE-ID:  CVE-2010-1830
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  A remote attacker may determine the existence of an AFP
share
Description:  An error handling issue exists in AFP Server. This may
allow a remote attacker to determine the existence of an AFP share
with a given name. This issue is addressed through improved signaling
of error conditions. Credit: Apple.


AppKit
CVE-ID:  CVE-2010-1842
Available for:  Mac OS X v10.6 through v10.6.4,
Mac OS X Server v10.6 through v10.6.4
Impact:  Rendering a bidirectional string that requires truncation
may lead to an unexpected application termination or arbitrary code
execution
Description:  A buffer overflow exists in AppKit. If a string
containing bidirectional text is rendered, and it is truncated with
an ellipsis, AppKit may apply an inappropriate layout calculation.
This could lead to an unexpected application termination or arbitrary
code execution. This issue is addressed by avoiding the inappropriate
layout calculation. Credit to Jesse Ruderman of Mozilla Corporation
for reporting this issue.

ATS
CVE-ID:  CVE-2010-1831
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description:  A buffer overflow exists in Apple Type Services'
handling of embedded fonts with long names. Viewing or downloading a
document containing a maliciously crafted embedded font may lead to
arbitrary code execution. This issue is addressed through improved
bounds checking.

ATS
CVE-ID:  CVE-2010-1832
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description:  A stack buffer overflow exists in Apple Type Services'
handling of embedded fonts. Viewing or downloading a document
containing a maliciously crafted embedded font may lead to arbitrary
code execution. On Mac OS X v10.6 systems this issue is mitigated by
the -fstack-protector compiler flag. This issue is addressed through
improved bounds checking. Credit: Apple.

ATS
CVE-ID:  CVE-2010-1833
Available for:  Mac OS X v10.6 through v10.6.4,
Mac OS X Server v10.6 through v10.6.4
Impact:  Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description:  A memory corruption issue exists in Apple Type
Services' handling of embedded fonts. Viewing or downloading a
document containing a maliciously crafted embedded font may lead to
arbitrary code execution. This issue is addressed through improved
bounds checking. This issue does not affect systems prior to Mac OS X
v10.6. Credit to Marc Schoenefeld of Red Hat, and Christoph Diehl of
Mozilla for reporting this issue.


CFNetwork
CVE-ID:  CVE-2010-1834
Available for:  Mac OS X v10.6 through v10.6.4,
Mac OS X Server v10.6 through v10.6.4
Impact:  Visiting a maliciously crafted website may cause cookies to
be set for other sites
Description:  An implementation issue exists in CFNetwork's handling
of domain specifications in cookies. CFNetwork allows cookies to be
set for a partial IP address. A maliciously crafted website may set a
cookie that will be sent to a third-party site, if the third-party
site is accessed by IP address. This update addresses the issue by
through improved validation of domains specified in cookies.

CoreGraphics
CVE-ID:  CVE-2010-1836
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A stack buffer overflow exists in CoreGraphics'
handling of PDF files. Opening a maliciously crafted PDF file may
lead to an unexpected application termination. On 32-bit systems, it
may also lead to arbitrary code execution. This update addresses the
issues through improved bounds and error checking. Credit to Andrew
Kiss for reporting this issue.

CoreText
CVE-ID:  CVE-2010-1837
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in CoreText's handling
of font files. Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved validation of font files. Credit:
Apple.


Directory Services
CVE-ID:  CVE-2010-1838
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  A local attacker may bypass the password validation and log
in to a mobile account
Description:  An error handling issue exists in Directory Service. A
local attacker with knowledge of the name of a disabled mobile
account, or a mobile account that allows a limited number of login
failures, may bypass the password validation and log in to the
account. This issue is addressed through improved handling of
disabled accounts.

Directory Services
CVE-ID:  CVE-2010-1840
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  An attacker may be able to cause an unexpected application
termination or arbitrary code execution
Description:  A stack buffer overflow exists in Directory Services'
password validation. An attacker may be able to cause an unexpected
application termination or arbitrary code execution. This issue is
addressed through improved bounds checking. Credit to Rodrigo Rubira
Branco from Check Point Vulnerability Discovery Team (VDT), and
Rainer Mueller for reporting this issue.

diskdev_cmds
CVE-ID:  CVE-2010-0105
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  A local user may be able to prevent the system from starting
properly
Description:  An implementation issue exists fsck_hfs' handling of
directory trees. A local user may be able to prevent the system from
starting properly. This issue is addressed through improved
validation of directory trees. Credit to Maksymilian Arciemowicz of
SecurityReason for reporting this issue.

Disk Images
CVE-ID:  CVE-2010-1841
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  Opening a maliciously crafted disk image may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in processing UDIF
disk images. Opening a maliciously crafted disk image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved validation of UDIF disk images.
Credit to Marc Schoenefeld of Red Hat for reporting this issue.

Image Capture
CVE-ID:  CVE-2010-1844
Available for:  Mac OS X v10.6 through v10.6.4,
Mac OS X Server v10.6 through v10.6.4
Impact:  Downloading a maliciously crafted image may lead to an
unexpected system shutdown
Description:  A unbounded memory consumption issue exists in Image
Capture. Downloading a maliciously crafted image may lead to an
unexpected system shutdown. This issue is addressed through improved
input validation. This issue does not affect systems prior to Mac OS
X v10.6. Credit to Steven Fisher of Discovery Software Ltd. for
reporting this issue.

ImageIO
CVE-ID:  CVE-2010-1845
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues exist in ImageIO's
handling of PSD images. Viewing a maliciously crafted PSD image may
lead to an unexpected application termination or arbitrary code
execution. These issues are addressed through improved validation of
PSD images. Credit to Dominic Chell of NGSSoftware for reporting one
of these issues.


ImageIO
CVE-ID:  CVE-2010-2249
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  Multiple vulnerabilities in libpng
Description:  libpng is updated to version 1.4.3 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html

Image RAW
CVE-ID:  CVE-2010-1846
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  Viewing a maliciously crafted RAW image may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in Image RAW's handling
of images. Viewing a maliciously crafted RAW image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit: Apple.

Kernel
CVE-ID:  CVE-2010-1847
Available for:  Mac OS X v10.6 through v10.6.4,
Mac OS X Server v10.6 through v10.6.4
Impact:  A local user may cause an unexpected system shutdown
Description:  A memory management issue in the handling of terminal
devices may allow a local user to cause an unexpected system
shutdown. This issue is addressed through improved memory management.


Networking
CVE-ID:  CVE-2010-1843
Available for:  Mac OS X v10.6.2 through v10.6.4,
Mac OS X Server v10.6.2 through v10.6.4
Impact:  A remote attacker may cause an unexpected system shutdown
Description:  A null pointer dereference issue exists in the handling
of Protocol Independent Multicast (PIM) packets. By sending a
maliciously crafted PIM packet, a remote attacker may cause an
unexpected system shutdown. This issue is addressed through improved
validation of PIM packets. This issue does not affect systems prior
to Mac OS X v10.6.2. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.


Password Server
CVE-ID:  CVE-2010-3783
Available for:  Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.4
Impact:  A remote attacker may be able to log in with an outdated
password
Description:  An implementation issue in Password Server's handling
of replication may cause passwords to not be replicated. A remote
attacker may be able to log in to a system using an outdated
password. This issue is addressed through improved handling of
password replication. This issue only affects Mac OS X Server
systems. Credit: Apple.


Printing
CVE-ID:  CVE-2010-3784
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  Applications that use the
PMPageFormatCreateWithDataRepresentation API may be vulnerable to an
unexpected application termination
Description:  A null dereference issue exists in the
PMPageFormatCreateWithDataRepresentation API's handling of XML data.
Applications that use this API may be vulnerable to an unexpected
application termination. This issue is addressed through improved
handling of XML data. Credit to Wujun Li of Microsoft for reporting
this issue. 

QuickLook
CVE-ID:  CVE-2010-3785
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact:  Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description:  A buffer overflow exists in QuickLook's handling of
Microsoft Office files. Downloading a maliciously crafted Microsoft
Office file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved bounds checking. Credit: Apple.

QuickLook
CVE-ID:  CVE-2010-3786
Available for:  Mac OS X v10.6 through v10.6.4,
Mac OS X Server v10.6 through v10.6.4
Impact:  Downloading a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in QuickLook's
handling of Excel files. Downloading a maliciously crafted Excel file
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
This issue does not affect systems prior to Mac OS X v10.6. Credit to
Tobias Klein working with the iDefense VCP for reporting this issue.

Time Machine
CVE-ID:  CVE-2010-1803
Available for:  Mac OS X v10.6 through v10.6.4,
Mac OS X Server v10.6 through v10.6.4
Impact:  A remote attacker may access a user's Time Machine
information
Description:  The user may designate a remote AFP volume to be used
for Time Machine backups. Time Machine does not verify that the same
physical device is being used for subsequent backup operations. An
attacker who is able to spoof the remote AFP volume can gain access
to the user's backup information. This issue is addressed by
verifying the unique identifier associated with a disk for backup
operations. This issue does not affect Mac OS X v10.5 systems.

Wiki Server
CVE-ID:  CVE-2010-3797
Available for:  Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.4
Impact:  A user who can edit wiki pages may obtain the credentials of
other users
Description:  A JavaScript injection issue exists in Wiki Server. A
user who can edit wiki pages may obtain the credentials of any user
who visits the edited pages. This issue is addressed through improved
input validation. This issue only affects Mac OS X Server systems.
Credit: Apple.

xar
CVE-ID:  CVE-2010-3798
Available for:  Mac OS X v10.6 through v10.6.4,
Mac OS X Server v10.6 through v10.6.4
Impact:  Extracting a maliciously crafted xar archive may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in xar. Extracting a
maliciously crafted xar archive may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved bounds checking. This issue does not affect systems
prior to Mac OS X v10.6. Credit: Apple. 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC