SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   Mac OS X Vendors:   Apple Computer
Mac OS X Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Upload/Access Files and Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1024103
SecurityTracker URL:  http://securitytracker.com/id/1024103
CVE Reference:   CVE-2010-0543, CVE-2010-0545, CVE-2010-0546, CVE-2010-1373, CVE-2010-1374, CVE-2010-1375, CVE-2010-1376, CVE-2010-1377, CVE-2010-1379, CVE-2010-1380, CVE-2010-1381, CVE-2010-1382, CVE-2010-1411   (Links to External Site)
Date:  Jun 16 2010
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 10.6.4
Description:   Multiple vulnerabilities were reported in Mac OS X. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A remote user can cause denial of service conditions. A remote user can conduct cross-site scripting attacks. A remote user can view or upload files on the target system.

A remote user can create a specially crafted MPEG2 movie file that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system [CVE-2010-0543]. The code will run with the privileges of the target user. For version 10.6.x, this bug was fixed in version 10.6.2.

When "Apply to enclosed items..." is selected in the Finder "Get Info" window, the ownership of the enclosed items is not changed [CVE-2010-0545]. As a result, the enclosed files and folders may have the wrong permissions. Michi Ruepp of pianobakery.com reported this vulnerability.

A user can create a specially crafted disk image or remote share that, when unmounted by the target user, will exploit a symlink flaw in Folder Manager and cause an arbitrary folder to be deleted with the permissions of the target user [CVE-2010-0546].

A remote user can create specially crafted HTML that, when loaded by the target user, will cause arbitrary JavaScript to be executed by the Help Viewer in the local domain [CVE-2010-1373]. Systems prior to Mac OS X version 10.6 are not affected. Clint Ruoho of Laconic Security reported this vulnerability.

A remote user can exploit a directory traversal flaw in iChat to upload files to arbitrary locations on the target user's system for users that are using AIM in iChat [CVE-2010-1374].

A local user can invoke NetAuthSysAgent to execute certain operations and obtain system privileges [CVE-2010-1375]. Mac OS X version 10.6 is not affected.

A remote user can create specially crafted HTML that, when loaded by the target user, will exploit a format string flaw in the processing of 'afp:', 'cifs:', and 'smb:' URLs to execute arbitrary code on the target user's system [CVE-2010-1376]. Systems prior to Mac OS X version 10.6 are not affected. Ilja van Sprundel of IOActive and Chris Ries ofCarnegie Mellon University Computing Services reported this vulnerability.

Open Directory uses a non secure connection if an SSL connection is not available when binding to a network account server via System Preferences. A remote user with the ability to conduct a man-in-the-middle attack can impersonate a network account server [CVE-2010-1377]. Systems prior to Mac OS X version 10.6 are not affected.

A device on the local network can advertise a printing service with a Unicode character in the service name to cause printing in certain application to fail [CVE-2010-1379]. Filipp Lepalaan of mcare Oy reported this vulnerability.

A remote or local user with access to a printer can cause an integer overflow in the cgtexttops CUPS filter and execute arbitrary code [CVE-2010-1380]. Mac OS X versions prior to version 10.6 are not affected. regenrecht reported this vulnerability via iDefense.

A remote user can exploit a configuration flaw in the SMB File Server to obtain access to arbitrary files on the share [CVE-2010-1381].

A remote user can create specially crafted Wiki content that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser [CVE-2010-1382]. The code will originate from the site running the Mac OS X software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can create a specially crafted TIFF file that, when loaded by the target user, will trigger an integer overflow and execute arbitrary code on the target user's system [CVE-2010-1411]. Kevin Finisterre of digitalmunition.com reported this vulnerability.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can cause denial of service conditions.

A local user can obtain system privileges on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the target user, access data recently submitted by the target user via web form to the target site, or take actions on the target site acting as the target user.

A remote user can view files on the target system.

A remote user can upload files to arbitrary locations on the target user's system.

Solution:   The vendor has issued a fix as part of Security Update 2010-004 / Mac OS X v10.6.4, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2010-004 or Mac OS X v10.6.4.

For Mac OS X v10.6.3
The download file is named: MacOSXUpd10.6.4.dmg
Its SHA-1 digest is: e306451e458701dbbc0268bec87239f5490ec832

For Mac OS X v10.6 - v10.6.2
The download file is named: MacOSXUpdCombo10.6.4.dmg
Its SHA-1 digest is: b7ea3ebe1d0a98dfdc4cb107cb7127f5ac2cdb96

For Mac OS X Server v10.6.3
The download file is named: MacOSXServerUpd10.6.4.dmg
Its SHA-1 digest is: 7688a1a3d77b23ce142038ff295d868e37f79872

For Mac OS X Server v10.6 - v10.6.2
The download file is named: MacOSXServUpdCombo10.6.4.dmg
Its SHA-1 digest is: dd38a7d63a4383e608da99ffcf70e6dc213082b3

For Mac OS X v10.5.8
The download file is named: SecUpd2010-004.dmg
Its SHA-1 digest is: 0555958e44a52a447e4fd67469299f0d35286a8a

For Mac OS X Server v10.5.8
The download file is named: SecUpdSrvr2010-004.dmg
Its SHA-1 digest is: 222d512a8c0de61fcb9d9a130d660bb5a52e6402

The vendor's advisory is available at:

http://support.apple.com/kb/HT4188

Vendor URL:  support.apple.com/kb/HT4188 (Links to External Site)
Cause:   Access control error, Boundary error, Configuration error, Input validation error
Underlying OS:  

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 8 2010 (Red Hat Issues Fix for libtiff) Mac OS X Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Upload/Access Files and Local Users Gain Elevated Privileges   (bugzilla@redhat.com)
Red Hat has issued a fix for LibTIFF for Red Hat Enterprise Linux 4 and 5.
Jul 8 2010 (Red Hat Issues Fix for libtiff) Mac OS X Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Upload/Access Files and Local Users Gain Elevated Privileges   (bugzilla@redhat.com)
Red Hat has issued a fix for LibTIFF for Red Hat Enterprise Linux 3.



 Source Message Contents

Date:  Wed, 16 Jun 2010 03:48:08 +0000
Subject:  Apple Mac OS X


APPLE-SA-2010-06-15-1 Security Update 2010-004 / Mac OS X v10.6.4

ImageIO
CVE-ID:  CVE-2010-0543
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption exists in the handling of MPEG2
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of MPEG2 encoded movie files. For Mac OS X v10.6 systems
this issue is addressed in Mac OS X v10.6.2. Credit: Apple.

DesktopServices
CVE-ID:  CVE-2010-0545
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact:  A Finder operation may result in files or folders with
unexpected permissions
Description:  When "Apply to enclosed items..." is selected in the
"Get Info" window in the Finder, the ownership of the enclosed items
is not changed. This may cause the enclosed files and folders to have
unexpected permissions. This issue is addressed by applying the
correct ownership. Credit to Michi Ruepp of pianobakery.com for
reporting this issue.

Folder Manager
CVE-ID:  CVE-2010-0546
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact:  Unmounting a maliciously crafted disk image or remote share
may lead to data loss
Description:  A symlink following issue exists in Folder Manager. A
folder named "Cleanup At Startup" is removed upon unmount. A
maliciously crafted volume may use a symlink to cause the deletion of
an arbitrary folder with the permissions of the current user. This
issue is addressed through improved handling of symlinks. Credit:
Apple.

Help Viewer
CVE-ID:  CVE-2010-1373
Available for:  Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact:  Visiting a maliciously crafted website may lead to the
execution of JavaScript in the local domain
Description:  A cross-site scripting issue exists in Help Viewer's
handling of help: URLs. Visiting a maliciously crafted website may
lead to the execution of JavaScript in the local domain. This may
lead to information disclosure or arbitrary code execution. This
issue is addressed through improved escaping of URL parameters in
HTML content. This issue does not affect systems prior to Mac OS X
v10.6. Credit to Clint Ruoho of Laconic Security for reporting this
issue.

iChat
CVE-ID:  CVE-2010-1374
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact:  A remote user may upload files to arbitrary locations on the
filesystem of a user currently using AIM in iChat
Description:  A directory traversal issue exists in iChat's handling
of inline image transfers. A remote user may upload files to
arbitrary locations on the filesystem of a user currently using AIM
in iChat. This issue is addressed through improved handling of file
paths. Credit: Apple.

Network Authorization
CVE-ID:  CVE-2010-1375
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact:  A local user may obtain system privileges
Description:  NetAuthSysAgent does not require authorization for
certain operations. This may allow a local user to obtain system
privileges. This issue is addressed by requiring authorization for
additional operations. This issue does not affect Mac OS X v10.6
systems. Credit: Apple.

Network Authorization
CVE-ID:  CVE-2010-1376
Available for:  Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A format string issue exists in the handling of afp:,
cifs:, and smb: URLs. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved validation of afp:, cifs:,
and smb: URLs. This issue does not affect systems prior to Mac OS X
v10.6. Credit to Ilja van Sprundel of IOActive, and Chris Ries of
Carnegie Mellon University Computing Services for reporting this
issue.

Open Directory
CVE-ID:  CVE-2010-1377
Available for:  Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact:  A man-in-the-middle attacker may be able to impersonate a
network account server
Description:  When binding to a network account server via System
Preferences, Open Directory will automatically negotiate an
unprotected connection to the server if it is not possible to connect
to the server with Secure Sockets Layer (SSL). A man-in-the-middle
attacker may be able to impersonate the network account server, which
may lead to arbitrary code execution with system privileges. This
issue is addressed by providing an option to require a secure
connection. This issue does not affect systems prior to Mac OS X
v10.6.

Printer Setup
CVE-ID:  CVE-2010-1379
Available for:  Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact:  Network devices may disable printing in certain applications
Description:  A character encoding issue exists in Printer Setup's
handling of nearby printers. If a device on the local network
advertises a printing service with a Unicode character in its service
name, printing may fail in certain applications. The issue is
addressed through improved handling of shared printers. This issue
does not affect systems prior to Mac OS X v10.6. Credit to Filipp
Lepalaan of mcare Oy for reporting this issue.

Printing
CVE-ID:  CVE-2010-1380
Available for:  Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact:  A user with access to the printer may cause an unexpected
application termination or arbitrary code execution
Description:  An integer overflow issue exists in the calculation of
page sizes in the cgtexttops CUPS filter. A local or remote user with
access to the printer may cause an unexpected application termination
or arbitrary code execution. This issue is addressed through improved
bounds checking. This issue does not affect systems prior to Mac OS X
v10.6. Credit to regenrecht working with iDefense for reporting this
issue.

SMB File Server
CVE-ID:  CVE-2010-1381
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact:  A remote user may obtain unauthorized access to arbitrary
files
Description:  A configuration issue exists in Apple's distribution of
Samba, the server used for SMB file sharing. Using symbolic links, a
remote user with access to an SMB share may obtain unauthorized
access to arbitrary files. This issue is addressed by disabling
support for wide links in the Samba configuration file.

Wiki Server
CVE-ID:  CVE-2010-1382
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact:  Viewing maliciously crafted Wiki content may result in a
cross-site scripting attack
Description:  The Wiki Server does not specify an explicit character
set when serving HTML documents in response to user requests. An
attacker with the ability to post or comment on Wiki Server hosted
content may include scripts encoded in an alternate character set.
This may lead to a cross-site scripting attack against users of the
Wiki Server. The issue is addressed by specifying a character set for
the document in HTTP responses.

ImageIO
CVE-ID:  CVE-2010-1411
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact:  Opening a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple integer overflows in the handling of TIFF
files may result in a heap buffer overflow. Opening a maliciously
crafted TIFF file may lead to an unexpected application termination
or arbitrary code execution. The issues are addressed through
improved bounds checking. Credit to Kevin Finisterre of
digitalmunition.com for reporting these issues.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC