SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (E-mail Client)  >  Apple Mail Vendors:  Apple Computer
Apple Mail May Use Plaintext Authentication When SMTP Authentication is Selected
SecurityTracker Alert ID:  1019107
SecurityTracker URL:  http://securitytracker.com/id?1019107
CVE Reference:  CVE-2007-5855   (Links to External Site)
Updated:  Dec 22 2007
Original Entry Date:  Dec 18 2007
Impact:  Disclosure of authentication information
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Apple Security Advisory
Description:  A vulnerability was reported in Apple Mail. A remote user may be able to obtain an e-mail password.

When an SMTP account is set up using Account Assistant and SMTP authentication is selected, the mail client will send the password in plaintext to the mail server if the server supports only MD5 Challenge-Response authentication and plaintext authentication. A remote user monitoring the network may be able to obtain the target user's mail password.

Mac OS X versions 10.5 and later are not affected.
Impact:  A remote user monitoring the network may be able to obtain the target user's mail password.
Solution:  The vendor has issued a fix (APPLE-SA-2007-12-17 Security Update 2007-009 v1.1), available from from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.5.1
The download file is named: "SecUpd2007-009.dmg"
Its SHA-1 digest is: 0ba35ef30a525792f1d4015395997b42f524dd38

For Mac OS X v10.4.11 (Universal)
The download file is named: "SecUpd2007-009Univ.dmg"
Its SHA-1 digest is: 49f52d4f647ea4a1fabef34cccac263bfd03791a

For Mac OS X v10.4.11 (PPC)
The download file is named: "SecUpd2007-009Ti.dmg"
Its SHA-1 digest is: d1c5c4bc23267dd846bb96e7be69b084579c1bba

The Apple advisories are available at:

http://docs.info.apple.com/article.html?artnum=307179
http://docs.info.apple.com/article.html?artnum=307224

[Editor's note: The original security update 2007-009 issued on December 17, 2007 contained a performance issue that may cause Safari to crash. On December 21, 2007, Apple issued the revised security update 2007-009 v1.1. Customers should apply the new update.]
Vendor URL:  docs.info.apple.com/article.html?artnum=307179 (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  UNIX (OS X)
Underlying OS Comments:  prior to 10.5

Message History:   None.

 Source Message Contents

 

[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC