Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/30/2008
10:17 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Apple Plugs Growing List Of Security Holes

If you're an OS X user, and have yet to download today's 59-MB set of security patches, right now would be a good time to run Software Update. The vendor has patched 25 vulnerabilities, and some are fairly nasty at that.

If you're an OS X user, and have yet to download today's 59-MB set of security patches, right now would be a good time to run Software Update. The vendor has patched 25 vulnerabilities, and some are fairly nasty at that.A handful of the vulnerabilities are highly critical, and many have been known for some time, such as those in the open source scripting software Ruby. Many of the vulnerabilities in Apple Security Update 2008-004 could create conditions susceptible to arbitrary code execution attacks (which is security industry lingo for: hackers can run whatever they please on your machine).

This isn't the largest basket of patches shipped from Cupertino, Calif., this year. Just about three months ago, Apple released a bevy of patches that fixed 87 flaws that spanned 30 separate applications.

For what it's worth, I downloaded and installed Security Update 2008-004 without incident.

Here's the lowdown from the update, which is also available on Apple's download support page:

Alias Manager 
CVE-ID: CVE-2008-2308
 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of alias data structures. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier.

CoreTypes
 CVE-ID: CVE-2008-2309 
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Users are not warned before opening certain potentially unsafe content types
Description: This update adds .xht and .xhtm files to the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload. This update improves the system's ability to notify users before handling .xht and .xhtm files. On Mac OS X v10.4 this functionality is provided by the Download Validation feature. On Mac OS X v10.5 this functionality is provided by the Quarantine feature. Credit to Brian Mastenbrook for reporting this issue.

c++filt 
CVE-ID: CVE-2008-2310
 Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution
Description: A format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings. This issue does not affect systems prior to Mac OS X 10.5.

Dock
 CVE-ID: CVE-2008-2314
 Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: A person with physical access may be able to bypass the screen lock
Description: When the system is set to require a password to wake from sleep or screen saver, and Exposé hot corners are set, a person with physical access may be able to access the system without entering a password. This update addresses the issue by disabling hot corners when the screen lock is active. This issue does not affect systems prior to Mac OS X 10.5. Credit to Andrew Cassell of Marine Spill Response Corporation for reporting this issue.

Launch Services 
CVE-ID: CVE-2008-2311 
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation. If the "Open 'safe' files" preference is enabled in Safari, visiting a maliciously crafted website may cause a file to be opened on the user's system, resulting in arbitrary code execution. This update addresses the issue by performing additional validation of downloaded files. This issue does not affect systems running Mac OS X 10.5 or later.

Net-SNMP 
CVE-ID: CVE-2008-0960
 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: A remote attacker may be able to spoof an authenticated SNMPv3 packet
Description: An issue exists in Net-SNMP's SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. This update addresses the issue by performing additional validation of SNMPv3 packets. Additional information is available via http://www.kb.cert.org/vuls/id/878044

Ruby
 CVE-ID: CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, CVE-2008-2726 
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Running a Ruby script that uses untrusted input to access strings or arrays may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues exist in Ruby's handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays.

Ruby
 CVE-ID: CVE-2008-1145 
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: If WEBRick is running, a remote attacker may be able to access files protected by WEBrick's :NondisclosureName option
Description: The :NondisclosureName option in the Ruby WEBrick toolkit is used to restrict access to files. Requesting a file name which uses unexpected capitalization may bypass the :NondisclosureName restriction. This update addresses the issue by additional validation of file names. Additional information is available via http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ The directory traversal issue described in the advisory does not affect Mac OS X.

SMB File Server 
CVE-ID: CVE-2008-1105
 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of SMB packets. Sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking on the length of received SMB packets. Credit to Alin Rad Pop of Secunia Research for reporting this issue.

System Configuration
 CVE-ID: CVE-2008-2313 
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local user may be able to execute arbitrary code with the privileges of new users
Description: A local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This update addresses the issue by applying more restrictive permissions on the User Template directory. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Andrew Mortensen of the University of Michigan for reporting this issue.

Tomcat 
CVE-ID: CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3383, CVE-2007-5333, CVE-2007-3385, CVE-2007-5461 
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Multiple vulnerabilities in Tomcat 4.1.36
Description: Tomcat version 4.x is bundled on Mac OS X v10.4.11 systems. Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Further information is available via the Tomcat site at http://tomcat.apache.org/ Tomcat version 6.x is bundled with Mac OS X v10.5 systems.

VPN
CVE-ID CVE-2007-6276 
Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Remote attackers may be able to cause an unexpected application termination
Description: A divide by zero issue exists in the virtual private network daemon's handling of load balancing information. Processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution. This update addresses the issue by performing additional validation of load balancing information. This issue does not affect systems prior to Mac OS X 10.5.

WebKit 
CVE-ID: CVE-2008-2307 
Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2. For Mac OS X v10.4.11 and Windows XP / Vista, this issue is addressed in Safari v3.1.2 for those systems. Credit to James Urquhart for reporting this issue.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...