SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Apple Mail Vendors:   Apple
Apple Mail May Use Plaintext Authentication When SMTP Authentication is Selected
SecurityTracker Alert ID:  1019107
SecurityTracker URL:  http://securitytracker.com/id/1019107
CVE Reference:   CVE-2007-5855   (Links to External Site)
Updated:  Dec 22 2007
Original Entry Date:  Dec 18 2007
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Apple Mail. A remote user may be able to obtain an e-mail password.

When an SMTP account is set up using Account Assistant and SMTP authentication is selected, the mail client will send the password in plaintext to the mail server if the server supports only MD5 Challenge-Response authentication and plaintext authentication. A remote user monitoring the network may be able to obtain the target user's mail password.

Mac OS X versions 10.5 and later are not affected.

Impact:   A remote user monitoring the network may be able to obtain the target user's mail password.
Solution:   The vendor has issued a fix (APPLE-SA-2007-12-17 Security Update 2007-009 v1.1), available from from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.5.1
The download file is named: "SecUpd2007-009.dmg"
Its SHA-1 digest is: 0ba35ef30a525792f1d4015395997b42f524dd38

For Mac OS X v10.4.11 (Universal)
The download file is named: "SecUpd2007-009Univ.dmg"
Its SHA-1 digest is: 49f52d4f647ea4a1fabef34cccac263bfd03791a

For Mac OS X v10.4.11 (PPC)
The download file is named: "SecUpd2007-009Ti.dmg"
Its SHA-1 digest is: d1c5c4bc23267dd846bb96e7be69b084579c1bba

The Apple advisories are available at:

http://docs.info.apple.com/article.html?artnum=307179
http://docs.info.apple.com/article.html?artnum=307224

[Editor's note: The original security update 2007-009 issued on December 17, 2007 contained a performance issue that may cause Safari to crash. On December 21, 2007, Apple issued the revised security update 2007-009 v1.1. Customers should apply the new update.]

Vendor URL:  docs.info.apple.com/article.html?artnum=307179 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  prior to 10.5

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC