December 17th, 2007
Apple delivers hefty patch haul; Addresses Leopard flaws and Safari
Apple on Monday delivered another 41 patches to address multiple vulnerabilities in Mac OS X and Mac OS X Server including more than a few for Leopard.
The security update, which matches last month’s patch crop from Apple, features a few common threads. Among them:
- Leopard and Tiger are affected;
- The patches mostly cover flaws that allow hackers to take over your system;
- Execution holes abound throughout Mac OS X in iChat, Core Foundation, Quick Look and Desktop Services;
- Apple has been busy on the security front. Last week, Apple delivered a Java runtime update and patched a bunch of QuickTime. QuickTime has been under fire of late.
In any case, it is recommended that you update. Here’s the laundry list of Apple’s latest round of patches.
CVE-2007-4708: This plugs vulnerability in Address Book’s URL handler. Apple says: “By enticing a user to visit a maliciously crafted website, a remote attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings.” Versions affected include Mac OS X v10.4.11 and Mac OS X Server v10.4.11. Anyone running Mac OS X 10.5 or later isn’t affected.
CVE-2007-4709: This one covers the Mac OS X v10.5.1, Mac OS X Server v10.5.1–also known as Leopard. The problem: “A path traversal issue exists in CFNetwork’s handling of downloaded files,” said Apple. In a nutshell, visiting a malicious Web site could allow the automatic download of files to arbitrary folders, which is a nice way of saying your computer has been hijacked.
CVE-2007-4710: This covers Mac OS X v10.4.11, Mac OS X Server v10.4.11 and doesn’t affect Leopard. Specifically, Apple is addressing ColorSync. The issue: “Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution.” Leopard not affected.
CVE-2007-5847: Again, this ditty covers Mac OS X v10.4.11, Mac OS X Server v10.4.11. (See a trend here yet?). The problem is Core Foundation, which could disclose sensitive information. Leopard not affected.
CVE-2007-5848: This one covers a CUPs vulnerability in a printer driver. Apple says “a local admin user may be able to gain system privileges.” Leopard not affected.
CVE-2007-4351: Another CUPS problem and this one affects Leopard. Specifically, the OS X flavors impacted include Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The update corrects for a memory corruption issue in the handling of Internet Printing Protocol tags that could lead to an application crash or arbitrary code execution.
CVE-2007-5849: Another CUPs issue affecting Leopard and Leopard Server. Apple says: “If SNMP is enabled, a remote attacker may cause an unexpected application termination or arbitrary code execution. Description: “The CUPS backend SNMP program broadcasts SNMP requests to discover network print servers.”
CVE-2007-5850: This one covers desktop services in Mac OS X v10.4.11, Mac OS X Server v10.4.11. Leopard isn’t impacted. The gist: There’s a buffer overflow problem in Finder that can lead to an arbitrary code execution. Leopard not affected.
CVE-2007-5476: Affects the Flash Player plug-in for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1 and Mac OS X Server v10.5.1. There are multiple vulnerabilities addressed by Adobe.
CVE-2007-4131: This one corrects a “maliciously crafted tar archive,” an issue with GNU Tar. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11, but Leopard in the clear.
CVE-2007-5851: iChat is the issue here. The problem: A person on local network may initiate a video connection without permission. Leopard not impacted, but does cover Mac OS X v10.4.11 and Mac OS X Server v10.4.11.
CVE-2007-5853: IO storage issue where “opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution. Leopard in the clear, but Mac OS X v10.4.11, Mac OS X Server v10.4.11 isn’t.
CVE-2007-5854: This one fixes launch services in Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The problem: “Opening a maliciously crafted HTML file may lead to information disclosure or cross-site scripting.”
CVE-2007-6165: Another launch services problem, this time “opening an executable mail attachment may lead to arbitrary code execution with no warning.” Affects Leopard and Leopard Server.
CVE-2007-5855: Affects mail on Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The problem: “SMTP accounts set up through Account Assistant may use plaintext authentication even when MD5 Challenge-Response authentication is available.”
CVE-2007-5116 and CVE-2007-4965: Addresses problems with perl and python, respectively. Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 impacted.
CVE-2007-5856 and CVE-2007-5857: Both address Quick Look vulnerabilities in Leopard. Previewing a movie can disclose sensitive information. There are also some URL access issues.
CVE-2007-5770 and CVE-2007-5379, CVE-2007-5380, CVE-2007-6077: Vulnerabilities abound in Ruby libraries and Rails 1.2.3. The first one listed impacts. Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The remainder CVEs impact Leopard only.
CVE-2007-5858: A Safari fix for a information disclosure flaw. Impacts Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. Also impacts Safari 3 Beta on Windows XP and Vista.
CVE-2007-5859: Safari RSS has issues on Mac OS X v10.4.11, Mac OS X Server v10.4.11. Maliciously crafted feed may lead to application termination or arbitrary code execution. Leopard not affected.
CVE-2007-4572, CVE-2007-5398: Addresses Samba vulnerabilities. Impacts Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1.
CVE-2006-0024: Addresses Shockwave woes in Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1.
CVE-2007-3876: Apple says: “A stack buffer overflow issue exists in the code used by the mount_smbfs and smbutil applications to parse command line arguments, which may allow a local user to cause arbitrary code. Impacts Mac OS X v10.4.11, Mac OS X Server v10.4.11.
CVE-2007-5863: Even Software Update has a few flaws. Leopard impacted by “a man-in-the-middle attack could cause Software Update to execute arbitrary commands execution with system privileges.”
CVE-2007-5860: Spin Tracer flaw affecting Leopard. “A local user may be able to execute arbitrary code with system privileges.”
CVE-2007-5861: Addresses Spotlight flaws. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11.
CVE-2007-1218, CVE-2007-3798: Vulnerabilities abound in tcpdump. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11.
CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768: Multiple vulnerabilities plugged in XQuery. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11.
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.
