This document describes the security content of Mac OS X 10.4.9 and Security Update 2007-003, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
Software Update will present the update that applies to your system configuration. Only one is needed. Security Update 2007-003 will install on Mac OS X v10.3.9 and Mac OS X Server v10.3.9 systems.
Mac OS X v10.4.9 contains the security fixes present in Security Update 2007-003 and will install on Mac OS X v10.4 or later, as well as Mac OS X Server v10.4 or later systems.
ColorSync
CVE-ID: CVE-2007-0719
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of embedded ColorSync profiles. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ColorSync profiles. Credit to Tom Ferris of Security-Protocols for reporting this issue.
CoreGraphics
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a malformed PDF Document may lead to an application hang
Description: CoreGraphics has been updated to address the issue described on the Month of Apple Bugs web site (MOAB-06-01-2007), which may lead to an application hang.
Crash Reporter
CVE-ID: CVE-2007-0467
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Crash Reporter may allow a local admin user to obtain system privileges
Description: Crash Reporter uses an admin-writable system directory to store logs of processes that have been unexpectedly terminated. A malicious process running as an admin can cause these logs to be written to arbitrary files as root, which could result in the execution of commands with elevated privileges. This issue has been described on the Month of Apple Bugs web site (MOAB-28-01-2007). This update addresses the issue by performing additional validation prior to writing to log files.
CUPS
CVE-ID: CVE-2007-0720
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Remote attackers may cause a denial of service during SSL negotiation
Description: A partially-negotiated SSL connection with the CUPS service may prevent other requests from being served until the connection is closed. This update addresses the issue by implementing timeouts during SSL negotiation.
Disk Images
CVE-ID: CVE-2007-0721
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Mounting a maliciously-crafted disk image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption vulnerability exists in diskimages-helper. By enticing a user to open a maliciously-crafted compressed disk image, an attacker could trigger this issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of disk images.
Disk Images
CVE-ID: CVE-2007-0722
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Mounting a maliciously-crafted AppleSingleEncoding disk image may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow vulnerability exists in the handler for AppleSingleEncoding disk images. By enticing a local user to open a maliciously-crafted disk image, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of AppleSingleEncoding disk images.
Disk Images
CVE-ID: CVE-2006-6061, CVE-2006-6062, CVE-2006-5679, CVE-2007-0229, CVE-2007-0267, CVE-2007-0299
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Downloading a maliciously-crafted disk image may lead to an unexpected system shutdown or arbitrary code execution
Description: Several vulnerabilities exist in the processing of disk images that may lead to an unexpected termination of system operations or arbitrary code execution. These have been described on the Month of Kernel Bugs and Month of Apple Bugs web sites (MOKB-03-11-2006, MOKB-20-11-2006, MOKB-21-11-2006, MOAB-10-01-2007, MOAB-11-01-2007 and MOAB-12-01-2007). Since a disk image may be automatically mounted when visiting web sites, this allows a malicious web site to cause a denial of service. This update addresses the issue by performing additional validation of downloaded disk images prior to mounting them.
DS Plug-Ins
CVE-ID: CVE-2007-0723
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Unprivileged LDAP users may be able to change the local root password
Description: An implementation flaw in DirectoryService allows an unprivileged LDAP user to change the local root password. The authentication mechanism in DirectoryService has been fixed to address this issue.
Flash Player
CVE-ID: CVE-2006-5330
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Playing maliciously-crafted Flash content could allow an HTTP request splitting attack
Description: Adobe Flash Player is updated to version 9.0.28.0 to fix a potential vulnerability that could allow HTTP request splitting attacks. This issue is described as APSB06-18 on the Adobe web site at http://www.adobe.com/support/security/
GNU Tar
CVE-ID: CVE-2006-6097
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Extracting a maliciously-crafted tar archive may lead to arbitrary files being overwritten
Description: GNU Tar does not correctly handle tar archives that contain a GNUTYPES_NAME record with a symbolic link. By enticing a local user to extract a maliciously-crafted tar archive, an attacker may cause arbitrary files to be overwritten with the permissions of the person using tar. This issue has been addressed by performing additional validation of tar files.
HFS
CVE-ID: CVE-2007-0318
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Removing a file from a maliciously-crafted mounted filesystem may lead to a denial of service
Description: An HFS+ filesystem in a mounted disk image can be constructed to trigger a kernel panic when attempting to remove a file from a mounted filesystem. This has been described on the Month of Apple Bugs web site (MOAB-13-01-2007). This update addresses the issue by performing additional validation of the HFS+ filesystem.
HID Family
CVE-ID: CVE-2007-0724
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Console keyboard events are exposed to other users on the local system
Description: Insufficient controls in the IOKit HID interface allow any logged in user to capture console keystrokes, including passwords and other sensitive information. This update addresses the issue by limiting HID device events to processes belonging to the current console user. Credit to Andrew Garber of University of Victoria, Alex Harper, and Michael Evans for reporting this issue.
ImageIO
CVE-ID: CVE-2007-1071
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted GIF file may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow vulnerability exists in the process of handling GIF files. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of GIF files. This issue does not affect systems prior to Mac OS X v10.4. Credit to Tom Ferris of Security-Protocols for reporting this issue.
ImageIO
CVE-ID: CVE-2007-0733
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted RAW Image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the process of handling RAW images. By enticing a user to open a maliciously-crafted image, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of RAW images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Luke Church of the Computer Laboratory, University of Cambridge, for reporting this issue.
Kernel
CVE-ID: CVE-2006-5836
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Malicious local users may be able to cause a denial of service
Description: Using the fpathconf() system call on certain file types will result in a kernel panic. This has been described on the Month of Kernel Bugs web site (MOKB-09-11-2006). This update addresses the issue through improved handling for all kernel defined file types. Credit to Ilja van Sprundel for reporting this issue.
Kernel
CVE-ID: CVE-2006-6126
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Executing a maliciously-crafted Mach-O binary may lead to an unexpected termination of system operations.
Description: An implementation issue exists in the kernel's handling of faults while loading Mach-O binaries. This could allow a malicious local user to cause a kernel panic. This issue has been described on the Month of Kernel Bugs web site (MOKB-23-11-2006). This issue only affects systems with Intel processors. This issue does not allow kernel memory corruption and can not lead to privilege escalation. This update addresses the issue by performing additional validation of Mach-O binaries.
Kernel
CVE-ID: CVE-2006-6129
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Executing a maliciously-crafted Universal Mach-O binary may lead to an unexpected termination of system operations or arbitrary code execution with elevated privileges
Description: An integer overflow vulnerability exists in the loading of Universal Mach-O binaries. This could allow a malicious local user to cause a kernel panic or to obtain system privileges. This has been described on the Month of Kernel Bugs web site (MOKB-26-11-2006). This update addresses the issue by performing additional validation of Universal binaries.
Kernel
CVE-ID: CVE-2006-6173
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Executing a maliciously-crafted program may lead to a system hang
Description: The shared_region_make_private_np() system call allows a program to request a large allocation of kernel memory. This could allow a malicious local user to cause a system hang. This issue does not allow an integer overflow to occur, and it cannot lead to arbitrary code execution. This issue has been described on the Month of Kernel Bugs web site (MOKB-28-11-2006). This update addresses the issue by additional validation of the arguments passed to shared_region_make_private_np().
Kernel
CVE-ID: CVE-2007-0430
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Malicious local users may be able to cause a system hang
Description: The shared_region_map_file_np system call allows a program to request a large allocation of kernel memory. This could allow a malicious local user to cause a system hang. This issue does not lead to arbitrary code execution. This update addresses the issue through additional validation of the arguments passed to shared_region_map_file_np. Credit to RISE Security for reporting this issue.
MySQL Server
CVE-ID: CVE-2006-1516, CVE-2006-1517, CVE-2006-2753, CVE-2006-3081, CVE-2006-4031, CVE-2006-4226, CVE-2006-3469
Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Multiple vulnerabilities in MySQL, the most serious of which is arbitrary code execution
Description: MySQL is updated from version 4.1.13 to 4.1.22. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/4.1/en/news-4-1-x.html
Networking
CVE-ID: CVE-2006-6130
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Malicious local users may be able to cause an unexpected termination of system operations or execute arbitrary code with elevated privileges
Description: A memory corruption issue exists in the AppleTalk protocol handler. This could allow a malicious local user to cause a kernel panic or gain system privileges. This has been described on the Month of Kernel Bugs web site (MOKB-27-11-2006). This update addresses the issue by performing additional validation of the input data structures.
Networking
CVE-ID: CVE-2007-0236
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Maliciously-crafted AppleTalk requests may lead to a local denial of service or arbitrary code execution
Description: A heap buffer overflow vulnerability exists in the AppleTalk protocol handler. By sending a maliciously-crafted request, a local user can trigger the overflow which may lead to a denial of service or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-14-01-2007). This update addresses the issue by performing additional validation of the input data.
OpenSSH
CVE-ID: CVE-2007-0726
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: A remote attacker can destroy established trust between SSH hosts by causing SSH Keys to be regenerated
Description: SSH keys are created on a server when the first SSH connection is established. An attacker connecting to the server before SSH has finished creating the keys could force the keys then to be recreated. This could result in a denial of service against processes that rely on a trust relationship with the server. Systems that already have SSH enabled and have rebooted at least once are not vulnerable to this issue. This issue is addressed by improving the SSH key generation process. This issue is specific to the Apple implementation of OpenSSH. Credit to Jeff Mccune of The Ohio State University for reporting this issue.
OpenSSH
CVE-ID: CVE-2006-0225, CVE-2006-4924, CVE-2006-5051, CVE-2006-5052
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Multiple vulnerabilities in OpenSSH, the most serious of which is arbitrary code execution
Description: OpenSSH is updated to version 4.5. Further information is available via the OpenSSH web site at http://www.openssh.org/txt/release-4.5.
Printing
CVE-ID: CVE-2007-0728
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: An unprivileged local user can overwrite arbitrary files with system privileges
Description: Insecure file operations may occur during the initialization of a USB printer. An attacker may leverage this issue to create or overwrite arbitrary files on the system. This update addresses the issue by improving the printer initialization process.
QuickDraw Manager
CVE-ID: CVE-2007-0588
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Opening a maliciously-crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow vulnerability exists in QuickDraw's PICT image processing. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Tom Ferris of Security-Protocols and Mike Price of McAfee AVERT Labs for reporting this issue.
QuickDraw Manager
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Opening a malformed PICT image may lead to an unexpected application termination
Description: QuickDraw Manager has been updated to address the issue described on the Month of Apple Bugs web site (MOAB-23-01-2007), which may lead to an unexpected application termination. This issue can not lead to arbitrary code execution.
servermgrd
CVE-ID: CVE-2007-0730
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Remote attackers may be able to access Server Manager without valid credentials
Description: An issue in Server Manager's validation of authentication credentials could allow a remote attacker to alter the system configuration. This update addresses the issue by additional validation of authentication credentials.
SMB File Server
CVE-ID: CVE-2007-0731
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: A user with write access to an SMB share may be able to cause a denial of service or arbitrary code execution
Description: A stack buffer overflow vulnerability exists in an Apple-specific Samba module. A file with an overly-long ACL could trigger the overflow, which may lead to a denial of service or arbitrary code execution. This update addresses the issue by performing additional validation of ACLs. This issue does not affect systems prior to Mac OS X v10.4. Credit to Cameron Kay of Massey University, New Zealand for reporting this issue.
Software Update
CVE-ID: CVE-2007-0463
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Opening a maliciously-crafted Software Update Catalog file may lead to an unexpected application termination or arbitrary code execution
Description: A format string vulnerability exists in the Software Update application. By enticing a user to download and open a Software Update Catalog file, an attacker can trigger the vulnerability which may lead to an unexpected application termination or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-24-01-2007). This update addresses the issue by removing document bindings for Software Update Catalogs. This issue does not affect systems prior to Mac OS X v10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.
sudo
CVE-ID: CVE-2005-2959
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: A local user with sudo access to a bash script can run arbitrary commands with elevated privileges
Description: A user-modified sudo configuration could allow environment variables to be passed through to the program running as a privileged user. If sudo is configured to allow an otherwise unprivileged user to execute a given bash script with elevated privileges, the user may be able to execute arbitrary code with elevated privileges. Systems with the default sudo configuration are not vulnerable to this issue. This issue has been addressed by updating sudo to 1.6.8p12. Further information is available via the sudo web site at http://www.sudo.ws/sudo/current.html
WebLog
CVE-ID: CVE-2006-4829
Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: A remote attacker can conduct cross-site scripting attacks through Blojsom
Description: A cross-site scripting vulnerability exists in Blojsom. This allows remote attackers to inject JavaScript into blog content that will execute in the domain of the Blojsom server. This update addresses the issue by performing additional validation of the user input. This issue does not affect systems prior to Mac OS X v10.4.
Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.