English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Apple Mac OS X Multiple Vulnerabilities


Secunia ID

SA42151

CVE-ID

CVE-2008-4546, CVE-2009-0796, CVE-2009-0946, CVE-2009-2473, CVE-2009-2474, CVE-2009-2624, CVE-2009-3793, CVE-2009-4134, CVE-2010-0001, CVE-2010-0105, CVE-2010-0209, CVE-2010-0211, CVE-2010-0397, CVE-2010-0408, CVE-2010-0434, CVE-2010-1205, CVE-2010-1297, CVE-2010-1378, CVE-2010-1449, CVE-2010-1450, CVE-2010-1752, CVE-2010-1803, CVE-2010-1811, CVE-2010-1828, CVE-2010-1829, CVE-2010-1830, CVE-2010-1831, CVE-2010-1832, CVE-2010-1833, CVE-2010-1834, CVE-2010-1836, CVE-2010-1837, CVE-2010-1838, CVE-2010-1840, CVE-2010-1841, CVE-2010-1842, CVE-2010-1843, CVE-2010-1844, CVE-2010-1845, CVE-2010-1846, CVE-2010-1847, CVE-2010-1848, CVE-2010-1849, CVE-2010-1850, CVE-2010-2160, CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164, CVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169, CVE-2010-2170, CVE-2010-2171, CVE-2010-2172, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2179, CVE-2010-2180, CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, CVE-2010-2187, CVE-2010-2188, CVE-2010-2189, CVE-2010-2213, CVE-2010-2214, CVE-2010-2215, CVE-2010-2216, CVE-2010-2249, CVE-2010-2484, CVE-2010-2497, CVE-2010-2498, CVE-2010-2499, CVE-2010-2500, CVE-2010-2519, CVE-2010-2520, CVE-2010-2531, CVE-2010-2805, CVE-2010-2806, CVE-2010-2807, CVE-2010-2808, CVE-2010-2884, CVE-2010-2941, CVE-2010-3053, CVE-2010-3054, CVE-2010-3636, CVE-2010-3638, CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652, CVE-2010-3654, CVE-2010-3783, CVE-2010-3784, CVE-2010-3785, CVE-2010-3786, CVE-2010-3787, CVE-2010-3788, CVE-2010-3789, CVE-2010-3790, CVE-2010-3791, CVE-2010-3792, CVE-2010-3793, CVE-2010-3794, CVE-2010-3795, CVE-2010-3796, CVE-2010-3797, CVE-2010-3798, CVE-2010-3976, CVE-2010-4010

Release Date

09 Nov 2010

Last Change

02 Feb 2011

Criticality

Highly Critical

Solution Status

Vendor Patch

Where

From remote

Impact
DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Cross-Site Scripting

Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system.

Different Cross-Site Scripting related vulnerabilities are also classified under this category, including "script insertion" and "cross-site request forgery".

Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Security Bypass

This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application.

The actual impact varies significantly depending on the design and purpose of the affected application.

Spoofing

This covers various vulnerabilities where it is possible for malicious users or people to impersonate other users or systems.

Description

Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) A signedness error in ATSServer when handling the CharStrings INDEX structure can be exploited to cause a buffer overflow via e.g. a PDF file containing a specially crafted CFF font.

This may be related to vulnerability #1:
SA40807

2) An array-indexing error in QuickTime when parsing Sorenson Video 3 content can be exploited to corrupt memory.

For more information:
SA39259

3) A NULL pointer dereference error in the handling of reconnect authentication packets can be exploited to terminate the AFP Server.

4) An input validation error in AFP Server can be exploited by authenticated users to create files outside of a share with permissions of the user, which allows execution of arbitrary code.

5) An error handling issue in AFP Server can be exploited to determine the existence of an AFP share with a given name.

6) A vulnerability in Apache mod_perl can be exploited by malicious people to conduct cross-site scripting attacks.

For more information:
SA34597

7) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose sensitive information or cause a DoS (Denial of Service).

For more information:
SA38776

8) An error in the layout calculation in AppKit when rendering a string containing bidirectional text can be exploited to cause a buffer overflow, which may allow execution of arbitrary code.

9) A boundary error exists in the handling of embedded fonts in Apple Type Services (ATS). This can be exploited to cause a buffer overflow, which may allow execution of arbitrary code when a specially crafted document containing embedded fonts with an overly long name is being viewed or downloaded.

10) A boundary error exists in the handling of embedded fonts in Apple Type Services (ATS). This can be exploited to cause a stack-based buffer overflow, which may allow execution of arbitrary code when a specially crafted document is being viewed or downloaded.

11) An unspecified error exists in the handling of embedded fonts in Apple Type Services (ATS). This can be exploited to corrupt memory, which may allow execution of arbitrary code when a specially crafted document is being viewed or downloaded.

12) A vulnerability in CFNetwork can be exploited by malicious people to compromise a user's system.

For more information see vulnerability #2 in:
SA40257

13) An error in CFNetwork in the handling of domain specifications in cookies can be exploited to set a cookie for a different domain if the target site is being accessed via its IP address.

14) A boundary error in CoreGraphics within the processing of PDF files can be exploited to cause a stack-based buffer overflow, which may allow execution of arbitrary code on 32-bit systems if a specially crafted PDF file is opened.

15) An unspecified error in CoreText in the processing of font files can be exploited to corrupt memory and execute arbitrary code via a specially crafted PDF file.

16) A vulnerability in CUPS can be exploited by malicious people to compromise a vulnerable system.

For more information:
SA41706

17) An error in Directory Service can be exploited by a malicious, local user to bypass authentication and log-in to a disabled mobile account or a mobile account with limited login failures.

Successful exploitation requires knowledge of the name of the mobile account.

18) A boundary error in the "/usr/bin/chfn", "/usr/bin/chpass", and "/usr/bin/chsh" setuid programs within Directory Services when processing the "-u" option can be exploited to cause a heap-based buffer overflow via an overly long string.

Successful exploitation may allow execution of arbitrary code with the privileges of the root user.

19) An error in fsck_hfs within the handling of directory trees can be exploited by malicious, local users to prevent the system from starting properly.

20) An unspecified error in the processing of UDIF disk images can be exploited to corrupt memory, which may allow execution of arbitrary code.

21) Multiple vulnerabilities in Flash Player plug-in can be exploited by malicious people to conduct cross-site scripting or click-jacking attacks, disclose sensitive information, bypass certain security restrictions, or compromise a user's system.

For more information:
SA40026
SA40907
SA41434
SA41917

22) Some vulnerabilities in gzip can be exploited by malicious people to cause a DoS or potentially compromise a user's system.

For more information:
SA38132
SA38220

23) An error in Image Capture within the memory handling can be exploited to cause a system shutdown when a specially crafted image is being downloaded.

24) Various unspecified errors in ImageIO in the processing of PSD images can be exploited to corrupt memory, which may allow execution of arbitrary code.

25) A vulnerability in ImageIO when processing TIFF files can be exploited by malicious people to compromise a user's system.

For more information see vulnerability #3 in:
SA41328

26) Multiple vulnerabilities in libpng (also included in X11) can be exploited by malicious people to cause a DoS and potentially compromise an application using the library.

For more information:
SA38774
SA40302

27) A boundary error in Image RAW in the processing of images can be exploited to cause a heap-based buffer overflow, which may allow execution of arbitrary code when a specially crafted RAW image is being viewed.

28) An error in the Kernel memory management when handling terminal devices can be exploited by malicious, local users to cause a system shutdown.

29) Multiple vulnerabilities in MySQL can be exploited by malicious users to bypass certain security restrictions or potentially compromise a vulnerable system and by malicious people to cause a DoS.

For more information:
SA39792

30) Two vulnerabilities in neon can be exploited by malicious people to conduct spoofing attacks or cause a DoS.

For more information:
SA36371

31) A NULL pointer dereference error in the IPv6 stack within the handling of Protocol Independent Multicast (PIM) packets can be exploited to cause system shutdown by sending a specially crafted PIM packet.

32) Two vulnerabilities in OpenLDAP can be exploited by malicious people to cause a DoS and potentially compromise a vulnerable system.

For more information:
SA40639

33) An arithmetic error in OpenSSL in the certificate validation can be exploited to bypass certificate validation steps and cause OpenSSL to accept any certificate signed by a trusted root as valid.

34) An error in Password Server within the handling of replication may cause passwords to not be replicated. This can potentially be exploited to log in to a system using an outdated password.

35) A vulnerability and a weakness in PHP can be exploited by malicious people to disclose system and potentially sensitive information and compromise a vulnerable system.

For more information:
SA39675
SA40268

36) A NULL pointer dereference error exists in the handling of XML data with the PMPageFormatCreateWithDataRepresentation API. This can be exploited to cause a DoS for an application that uses this API.

37) Multiple integer overflows in the python "rgbimg" and "audioop" modules can potentially be exploited to execute arbitrary code.

38) A boundary error in QuickLook within the processing of Microsoft Office files can be exploited to cause a buffer overflow, which may allow execution of arbitrary code.

39) An error in the OfficeImport framework when processing Excel files can be exploited to corrupt memory resulting in values from the file being treated as function pointers via a specially crafted Excel record.

40) An error in QuickTime within the processing of JP2 images can be exploited to cause a heap-based buffer overflow.

For more information:
SA39259

41) An error in QuickTime when processing JP2 images can be exploited to corrupt memory.

For more information:
SA39259

42) An error in QuickTime when processing AVI files can be exploited to corrupt memory.

For more information:
SA39259

43) An error in QuickTime when performing image transformation using the sprite handler can be exploited to cause a memory corruption when a specially crafted movie file is being viewed.

44) A boundary error in QuickTime when processing MPEG encoded movie files can be exploited to cause a buffer overflow.

For more information:
SA39259

45) A signedness error in QuickTime when processing MPEG encoded movie files can be exploited to corrupt memory.

For more information:
SA39259

46) An error in QuickTime when processing FlashPix images can be exploited to corrupt memory.

For more information:
SA39259

47) An input validation error in QuickTime when processing GIF images can be exploited to corrupt memory.

For more information:
SA39259

48) A security issue is caused due to Java applets being allowed RSS feeds, which can be exploited to e.g. disclose sensitive information when a specially crafted "feed:" is being accessed.

49) A security issue is caused due to TimeMachine not verifying the physical device of an AFP volume for subsequent backup operations. This can be exploited to disclose backup information by spoofing the remote AFP volume.

50) Input passed to the Wiki Server is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

51) Multiple vulnerabilities in FreeType (included in X11) can be exploited by malicious people to cause a DoS or compromise an application using the library.

For more information:
SA34723
SA40586
SA40816

52) A boundary error in xar when extracting xar archives can be exploited to cause a heap-based buffer overflow via a specially crafted xar archive.

Solution

Update to version 10.6.5 or apply Security Update 2010-007.

Security Update 2010-007 (Leopard Client):
http://support.apple.com/kb/DL1329

Security Update 2010-007 (Leopard Server):
http://support.apple.com/kb/DL1330

Mac OS X v10.6.5 Update (Combo):
http://support.apple.com/kb/DL1324

Mac OS X Server v10.6.5 Update Combo:
http://support.apple.com/kb/DL1326

Mac OS X v10.6.5 Update:
http://support.apple.com/kb/DL1325

Mac OS X Server v10.6.5 Update:
http://support.apple.com/kb/DL1327

Reported by

1) Anibal Sacco and Matias Eissler, Core Security Technologies.
2) Carsten Eiram, Secunia Research
An anonymous person via ZDI.
18) Rodrigo Rubira Branco, Check Point Vulnerability Discovery Team (VDT).
19) Maksymilian Arciemowicz, SecurityReason
31, 44-47) An anonymous person via ZDI.
39) Tobias Klein via iDefense
40) Nils of MWR InfoSecurity and Will Dormann of the CERT/CC
41) Damian Put and Procyun via ZDI.
42) Damian Put via ZDI.
43) Honggang Ren, Fortinet's FortiGuard Labs
An anonymous person via ZDI.

The vendor credits:
8) Jesse Ruderman, Mozilla Corporation
11) Marc Schoenefeld, Red Hat and Christoph Diehl, Mozilla.
12) Laurent OUDOT, TEHTRI-Security and Neil Fryer, IT Security Geeks.
14) Andrew Kiss
20) Marc Schoenefeld, Red Hat
23) Steven Fisher, Discovery Software Ltd.
24) Dominic Chell, NGSSoftware
33) Ryan Govostes, RPISEC
36) Wujun Li, Microsoft.
48) Jason Hullinger, IOActive

Original Advisory

Apple:
http://support.apple.com/kb/HT4435

Core Security Technologies (CORE-2010-0825):
http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-248/
http://www.zerodayinitiative.com/advisories/ZDI-11-038/

SecurityReason:
http://securityreason.com/achievement_securityalert/83

Check Point Vulnerability Discovery Team (VDT):
http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0108.html

iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=881

US-CERT VU#309873:
http://www.kb.cert.org/vuls/id/309873

FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2010-61.html