----------------------------------------------------------------------

Secunia customers receive relevant and filtered advisories.
Delivery is done via different channels including SMS, Email, Web,
and https based XML feed.
http://corporate.secunia.com/trial/38/request/

----------------------------------------------------------------------

TITLE:
Mac OS X Security Update Fixes Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA24966

VERIFY ADVISORY:
http://secunia.com/advisories/24966/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Manipulation of data, Exposure of sensitive
information, Privilege escalation, DoS, System access

WHERE:
>From remote

OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/

DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.

1) An error in the AFP Client can be exploited by malicious, local
users to create files or execute commands with system privileges.

2) A boundary error exists in the AirPortDriver module, which can be
exploited by malicious, local users to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code with
escalated privileges.

NOTE: This does not affect systems with the AirPort Extreme card.

3) An error in the CoreServices daemon can be exploited by malicious,
local users to obtain a send right to its Mach task port.

Successful exploitation may allow execution of arbitrary code with
escalated privileges.

4) An error in fsck can be exploited to cause memory corruption via a
specially crafted UFS file system.

Successful exploitation may allow execution of arbitrary code, when a
malicious UFS file system is opened.

5) An error in fetchmail can be exploited by malicious people to gain
knowledge of sensitive information.

For more information:
SA23631

6) An error in lukemftpd within the handling of commands with
globbing characters can be exploited by malicious users to cause a
buffer overflow.

Successful exploitation may allow execution of arbitrary code.

7) A boundary error in GNU Tar can be exploited by malicious people
to cause a DoS (Denial of Service) or to compromise a user's system.

For more information:
SA18973

8) A format string error in the Help Viewer application can be
exploited by malicious people to execute arbitrary code.

Successful exploitation requires that a user is tricked into
downloading and opening a help file with a specially crafted name.

9) An error in the IOKit HID interface can be exploited by malicious,
local users to capture console keystrokes from other users.

NOTE: This fix was originally distributed via the Mac OS X v10.4.9
update. However, due to a packaging issue it may not have been
delivered to all systems.

10) A format string error in the Installer application can be
exploited by malicious people to execute arbitrary code.

Successful exploitation requires that a user is tricked into
downloading and opening an installer package with a specially crafted
name.

11) An error in Kerberos can be exploited by malicious people to
cause an DoS (Denial of Service) or to compromise a vulnerable
system.

For more information:
SA23696

12) Some errors in Kerberos can be exploited by malicious users to
cause a DoS or to compromise a vulnerable system.

For more information see vulnerabilities #2 and #3 in:
SA24740

13) An error in Libinfo can cause a previously deallocated object to
be accessed when a specially crafted web page is viewed.

Successful exploitation may allow execution of arbitrary code.

14) An integer overflow exists in the RPC library. This can be
exploited by malicious people to cause a DoS or to execute arbitrary
code as the user "daemon" by sending a specially crafted packet to
the portmap service.

15) An error in Login Window in the processing of environment
variables can be exploited by malicious, local users to execute
arbitrary code with system privileges.

16) Under certain conditions it is possible to bypass the screen
saver authentication dialog.

17) Under certain conditions it is possible for a person with
physical access to the system to log in without authentication when
the software update window appears beneath the Login Window.

18) An error in natd within the handling of RTSP packets can be
exploited by malicious people to cause a buffer overflow by sending a
specially crafted packet to an affected system.

Successful exploitation may allow execution of arbitrary code, but
requires that Internet Sharing is enabled.

19) An error in SMB can be exploited by malicious, local users to
create files or execute commands with system privileges.

20) A weakness in the System Configuration can be exploited by
malicious, local users to gain escalated privileges.

For more information:
SA23793

21) The username and password used to mount remote file systems via
SMB are passed to the mount_smb command as command line arguments.
This can be exploited by malicious, local users to gain knowledge of
other users' credentials.

22) An error in the VideoConference framework can be exploited by
malicious people to cause a heap-based buffer overflow by sending a
specially crafted SIP packet when initialising a conference.

Successful exploitation may allow execution of arbitrary code.

23) An error in the load_webdav program when mounting a WebDAV
filesystem can be exploited by malicious, local users to create files
or to execute commands with system privileges.

24) An error in WebFoundation allows cookies set by subdomains to be
accessible to the parent domain.

NOTE: This does not affect systems running Mac OS X v10.4.

SOLUTION:
Apply Security Update 2007-004.

Security Update 2007-004 (Universal):
http://www.apple.com/support/downloads/securityupdate2007004universal.html

Security Update 2007-004 (PPC):
http://www.apple.com/support/downloads/securityupdate2007004ppc.html

Security Update 2007-004 (10.3.9 Client):
http://www.apple.com/support/downloads/securityupdate20070041039client.html

Security Update 2007-004 (10.3.9 Server):
http://www.apple.com/support/downloads/securityupdate20070041039server.html

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:

6) Kevin Finisterre, DigitalMunition
8) KF and LMH
9) Andrew Garber of University of Victoria, Alex Harper, and Michael
Evans
10) LMH
13) Landon Fuller of Three Rings Design
14) Mu Security Research Team
21) Daniel Ball of Pittsburgh Technical Institute, Geoff Franks of
Hauptman Woodward Medical Research Institute, and Jamie Cox of Sophos
Plc
24) Bradley Schwoerer of University of Wisconsin-Madison

ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=305391

MoAB:
8) http://projects.info-pull.com/moab/MOAB-30-01-2007.html
10) http://projects.info-pull.com/moab/MOAB-26-01-2007.html

OTHER REFERENCES:
SA18973:
http://secunia.com/advisories/18973/

SA23631:
http://secunia.com/advisories/23631/

SA23696:
http://secunia.com/advisories/23696/

SA23793:
http://secunia.com/advisories/23793/

SA24740:
http://secunia.com/advisories/24740/

US-CERT VU#312424:
http://www.kb.cert.org/vuls/id/312424

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------