SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Apple Mail Vendors:   Apple
Apple Mail Buffer Overflow in Processing Attachments With Specially Crafted Real Names May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015762
SecurityTracker URL:  http://securitytracker.com/id/1015762
CVE Reference:   CVE-2006-0396   (Links to External Site)
Date:  Mar 14 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Apple Mail. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can send an e-mail message with a specially crafted attachment. When the target user double-clicks on the attachment within the Apple Mail application, a buffer overflow may occur and arbitrary code may be executed. The code will run with the privileges of the target user.

A file in the AppleDouble format and with a long Real Name entry can trigger the overflow.

Versions prior to Mac OS X v10.4 are not affected.

The vulnerability was introduced in Security Update 2006-001 for Mail.app.

Apple credits Kevin Finisterre of DigitalMunition with reporting this vulnerability.

The original advisory is available at:

http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt

Impact:   A remote user can create an attachment that, when double clicked by the target user, will execute arbitrary code on the target user's system.
Solution:   Apple has issued a fix as part of Security Update 2006-002, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.4.5 (PowerPC) and Mac OS X Server v10.4.5
The download file is named: "SecUpd2006-002Ti.dmg"
Its SHA-1 digest is: b30acb6dda4fc1b2c9372c7da79763d42fa5e025

For Mac OS X v10.4.5 (Intel)
The download file is named: "SecUpd2006-002Intel.dmg"
Its SHA-1 digest is: 90166d4a40491364a0fd041216dc9d40c6430968

Vendor URL:  docs.info.apple.com/article.html?artnum=61798 (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (macOS/OS X)

Message History:   None.


 Source Message Contents

Subject:  APPLE-SA-2006-03-13 Security Update 2006-002

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2006-03-13 Security Update 2006-002

Security Update 2006-002 is now available and addresses the following
issues:

CoreTypes
CVE-ID:  CVE-2006-0400
Available for:  Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact:  Remote web sites can cause JavaScript to bypass the
same-origin policy
Description:  When documents containing Javascript are loaded
from a remote site, data access is restricted by the same-origin
policy. However, under certain situations, maliciously-crafted
archives can cause these restrictions to be bypassed. This
update addresses the issue by flagging these documents as
unsafe.

Mail
CVE-ID:  CVE-2006-0396
Available for:  Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact:  Double-clicking an attachment in Mail may result in
arbitrary code execution
Description:  By preparing a specially-crafted email message with
attachments, and enticing a user to double-click on that
attachment within Mail, an attacker may trigger a buffer
overflow. This could result in the execution of arbitrary code
with the privileges of the user running Mail. This issue
addresses the issue by performing additional bounds checking.
This issue does not affect systems prior to Mac OS X v10.4.
Credit to Kevin Finisterre of DigitalMunition for reporting this
issue.

Safari, LaunchServices, CoreTypes
CVE-ID:  CVE-2006-0397, CVE-2006-0398, CVE-2006-0399
Available for:  Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact:  Viewing a malicious web site may result in arbitrary
code execution
Description:  Security Update 2006-001 addressed an issue where
Safari could automatically open a file which appears to be a
safe file type, such as an image or movie, but is actually an
application. This update provides additional checks to identify
variations of the malicious file types addressed in Security
Update 2006-001 so that they are not automatically opened. This
issue does not affect systems prior to Mac OS X v10.4. Credit to
Will Dormann of CERT/CC and Andris Baumberger for reporting
several of these issues.

The following non-security issues introduced by Security Update
2006-001 are also addressed by this update:

* Download Validation: Security Update 2006-001 could cause the
user to be warned when provided with certain safe file types,
such as Word documents, or folders containing custom icons.
These unneeded warnings are removed with this update.

* apache_mod_php: A regression in PHP 4.4.1 that could prevent
SquirrelMail from functioning is corrected with this update.

* rsync: A regression in rsync that prevented the "--delete"
command line option from functioning is corrected with this
update.

Security Update 2006-002 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.5 (PowerPC) and Mac OS X Server v10.4.5
The download file is named:  "SecUpd2006-002Ti.dmg"
Its SHA-1 digest is:  b30acb6dda4fc1b2c9372c7da79763d42fa5e025

For Mac OS X v10.4.5 (Intel)
The download file is named:  "SecUpd2006-002Intel.dmg"
Its SHA-1 digest is:  90166d4a40491364a0fd041216dc9d40c6430968

For Mac OS X v10.3.9
The download file is named:  "SecUpd2006-002Pan.dmg"
Its SHA-1 digest is:  1dbc1e4ce152f00b4ffd49d10eb2191210a2edc9

For Mac OS X Server v10.3.9
The download file is named:  "SecUpdSrvr2006-002Pan.dmg"
Its SHA-1 digest is:  10226cd44c78976ea30fbe9e5bc6db07fe67c305

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)

iQEVAwUBRBIZ1oHaV5ucd/HdAQJjbQf+IBX25bTtqfyG73Ru4qFWgcTDW/jJ1h9F
daupuK5QpNkGmdzE0ufQVv1Ep7DHrZWWCPBbdQj7Dswl8C+LvbeRypsWuhvYcJXW
bxirQZfoG6j6ilnjS8QtAUf2IysCJ+Iw0DZEm1p94zcjpMDSC0XcHJHn98zagXyY
7ggV5M/2dTHBcxujF53Qt520bTRp2PZdhOoSVv/ycUx3TGkO3VQ8EudTNDkCHHE8
KGj8s5xMpvfafTjP3vpjVzip3nuyz8rcoLre74h9TIStb2Pv5k7AfibN1fpCEMl7
vWPtLBw0OShmaipp+8oRAFcwsyT5ab3aB95AhYv+GkCisdT5VIlnyQ==
=VYq9
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC