----------------------------------------------------------------------

Do you need accurate and reliable IDS / IPS / AV detection rules?

Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/

----------------------------------------------------------------------

TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA31882

VERIFY ADVISORY:
http://secunia.com/advisories/31882/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Manipulation of
data, Exposure of system information, Exposure of sensitive
information, DoS, System access

WHERE:
>From remote

OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/advisories/product/96/

DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.

1) A boundary error in the handling of PostScript font names in Apple
Type Services can be exploited to cause a heap-based buffer overflow
when a document containing a specially crafted font is viewed.

Successful exploitation may allow execution of arbitrary code.

2) Some vulnerabilities in ClamAV can be exploited by malicious
people to bypass certain security restrictions, cause a DoS (Denial
of Service), or compromise a vulnerable system.

For more information:
SA29000
SA30657

3) An error exists in Directory Services when it is configured to
authenticate users with Active Directory. This can be exploited to
disclose a list of user names from Active Directory in the Login
Window by supplying wildcard characters in the user name field.

4) A vulnerability is caused due to an insecure file operation within
the "slapconfig" tool, which can be exploited by a malicious, local
user to disclose the password that are entered by  administrative
users using "slapconfig".

5) An weakness in Finder causes the "Get Info" window to incorrectly
display the privileges for a file.

6) A null pointer dereference error exists in Finder when searching
for a remote disc. This can be exploited by malicious people with
access to the local network to cause Finder to exit immediately after
it starts.

7) A vulnerability in ImageIO can be exploited by malicious people to
cause a DoS (Denial of Service) or to potentially compromise a user's
system.

For more information:
SA31610

8) An unspecified error exists in ImageIO when handling TIFF images.
This can be exploited to cause a memory corruption and allows
crashing an application or potentially arbitrary code execution.

9) An unspecified error in ImageIO when processing embedded ICC
profiles in JPEG images can be exploited to crash an application or
potentially execute arbitrary code.

10) A vulnerability in ImageIO can be exploited by malicious people
to cause a DoS (Denial of Service), disclose potentially sensitive
information, or potentially compromise an application using the
library.

For more information:
SA29792

11) An error in the Kernel when a vnode is recycled can be exploited
by malicious, local users to read or write certain files without
proper permissions.

12) A security issue exists in libresolv and mDNSResponder due to DNS
query port number not being sufficiently randomised, which can be
exploited to poison the DNS cache.

13) A race condition exists in Login Window, which can be exploited
to log in as an arbitrary user without providing any credentials if
the system has an account without password enabled, e.g. the "Guest"
account.

14) A weakness exists due to Login Window not properly clearing the
password after a failed password change, which can be exploited by
malicious people with access to the Login Screen to reset a user's
password.

Successful exploitation requires that a user leaves a system with the
error message displayed after a failed password change.

15) A vulnerability and a weakness in OpenSSH can be exploited by
malicious, local users to disclose sensitive information or to bypass
certain security restrictions.

For more information:
SA29522
SA29602

16) A vulnerability in QuickDraw Manager can be exploited by
malicious people to compromise a user's system.

For more information see vulnerability #5 in:
SA31821

17) A vulnerability in Ruby can be exploited by malicious people to
cause a DoS (Denial of Service).

For more information:
SA30924

18) Integer overflow errors exist in unspecified functions within the
SearchKit framework. These can be exploited to crash an application or
execute arbitrary code when an application passes untrusted input to
SearchKit.

19) An error in System Configuration exists due to PPP passwords
being stored unencrypted in a world readable file.

20) An error exists in Time Machine due to log files being stored
with insecure permissions on the backup drive , which can lead to
disclosure of sensitive information.

21) A memory corruption error exists in the handling of H.264 encoded
media within the VideoConference framework. This can be exploited to
crash an application and potentially execute arbitrary code e.g. when
a user starts a video conference with a malicious person.

22) Certain input in emails is not properly sanitised before being
used in the mailing list archive in Wiki Server. This can be
exploited to insert arbitrary HTML and script code, which will be
executed in another user's browser session in context of an affected
site e.g. when a malicious mail is viewed.

SOLUTION:
Update to Mac OS X 10.5.5 or apply Security Update 2008-006.

Security Update 2008-006 Client (Intel):
http://www.apple.com/support/downloads/securityupdate2008006clientintel.html

Security Update 2008-006 Client (PPC):
http://www.apple.com/support/downloads/securityupdate2008006clientppc.html

Security Update 2008-006 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008006serverppc.html

Security Update 2008-006 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008006serveruniversal.html

Mac OS X 10.5.5 Combo Update:
http://www.apple.com/support/downloads/macosx1055comboupdate.html

Mac OS X 10.5.5 Update:
http://www.apple.com/support/downloads/macosx1055update.html

Mac OS X Server 10.5.5:
http://www.apple.com/support/downloads/macosxserver1055.html

Mac OS X Server Combo 10.5.5:
http://www.apple.com/support/downloads/macosxservercombo1055.html

PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Chris Ries, Carnegie Mellon University
Computing Services.
3) The vendor credits IT Department of the West Seneca Central School
District
5) The vendor credits Michel Colman.
6) The vendor credits Yuxuan Wang, Sogou.
8) The vendor credits Robert Swiecki, Google Security Team.
11) The vendor credits Nevin Liber, Thomas Pelaia of Oak Ridge
National Lab, Thomas Tempelmann, and Ram Kolli.
12) Dan Kaminsky, IOActive
14) The vendor credits Christopher A. Grande, Middlesex Community
College
15) The vendor credits an anonymous person via iDefense VCP.
19) The vendor credits Hernan Ochoa of Core Security Technologies,
Tore Halset of pvv.org, and Matt Johnston of the University Computer
Club.
20) The vendor credits Edwin McKenzie.
22) The vendor credits Leon von Tippelskirch and Matthias Wieczorek
of the Chair for Applied Software Engineering, TU Munich

ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3137

OTHER REFERENCES:
SA29000:
http://secunia.com/advisories/29000/

SA29522:
http://secunia.com/advisories/29522/

SA29602:
http://secunia.com/advisories/29602/

SA29792:
http://secunia.com/advisories/29792/

SA30657:
http://secunia.com/advisories/30657/

SA30924:
http://secunia.com/advisories/30924/

SA31610:
http://secunia.com/advisories/31610/

SA31821:
http://secunia.com/advisories/31821/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------