Apple patches plenty of vulnerabilities in Mac OS X

Apple released Security Update 2010-002 which improves the security of Mac OS X.

AppKit
A buffer overflow exists in the spell checking feature used by Cocoa applications. Spell checking a maliciously crafted document may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. This issue does not affect Mac OS X v10.6 systems.

Application Firewall
A timing issue in the Application Firewall may cause certain rules to become inactive after reboot. The issue is addressed through improved handling of Firewall rules. This issue does not affect Mac OS X v10.6 systems.

AFP Server
An access control issue in AFP Server may allow a remote user to mount AFP shares as a guest, even if guest access is disabled. This issue is addressed through improved access control checks.

A directory traversal issue exists in the path validation for AFP shares. A remote user may enumerate the parent directory of the share root, and read or write files within that directory that are accessible to the ‘nobody’ user. This issue is addressed through improved handling of file paths.

Apache
An input validation issue exists in Apache’s handling of proxied FTP requests. A remote attacker with the ability to issue requests through the proxy may be able to bypass access control restrictions specified in the Apache configuration. This issue is addressed by updating Apache to version 2.2.14.

ClamAV
A configuration issue introduced in Security Update 2009-005 prevents freshclam from running. This may prevent virus definitions from being updated. This issue is addressed by updating freshclam’s launchd plist ProgramArguments key values. This issue does not affect Mac OS X v10.6 systems.

CoreAudio
A memory corruption issue exists in the handling of QDM2 encoded audio content. Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.

A memory corruption issue exists in the handling of QDMC encoded audio content. Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.

CoreMedia
A heap buffer overflow exists in CoreMedia’s handling of H.263 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of H.263 encoded movie files.

CoreTypes
This update adds .ibplugin and .url to the system’s list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious JavaScript payload or arbitrary code execution. This update improves the system’s ability to notify users before handling content types used by Safari.

CUPS
A format string issue exists in the lppasswd CUPS utility. This may allow a local user to obtain system privileges. Mac OS X v10.6 systems are only affected if the setuid bit has been set on the binary. This issue is addressed by using default directories when running as a setuid process.

curl
A canonicalization issue exists in curl’s handling of NULL characters in the subject’s Common Name (CN) field of X.509 certificates. This may lead to man-in-the-middle attacks against users of the curl command line tool, or applications using libcurl. This issue is addressed through improved handling of NULL characters.

curl will follow HTTP and HTTPS redirects when used with the -L option. When curl follows a redirect, it allows file:// URLs. This may allow a remote attacker to access local files. This issue is addressed through improved validation of redirects. This issue does not affect Mac OS X v10.6 systems.

Cyrus IMAP
A buffer overflow exists in the handling of sieve scripts. By running a maliciously crafted sieve script, a local user may be able to obtain the privileges of the Cyrus user. This issue is addressed through improved bounds checking. This issue does not affect Mac OS X v10.6 systems.

Cyrus SASL
A buffer overflow exists in the Cyrus SASL authentication module. Using Cyrus SASL authentication may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. This issue does not affect Mac OS X v10.6 systems.

DesktopServices
When performing an authenticated copy in the Finder, original file ownership may be unexpectedly copied. This update addresses the issue by ensuring that copied files are owned by the user performing the copy. This issue does not affect systems prior to Mac OS X v10.6.

A path resolution issue in DesktopServices is vulnerable to a multi-stage attack. A remote attacker must first entice the user to mount an arbitrarily named share, which may be done via a URL scheme. When saving a file using the default save panel in any application, and using “Go to folder” or dragging folders to the save panel, the data may be unexpectedly saved to the malicious share. This issue is addressed through improved path resolution. This issue does not affect systems prior to Mac OS X v10.6.

Disk Images
A memory corruption issue exists in the handling of bzip2 compressed disk images. Mounting a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.

A design issue exists in the handling of internet enabled disk images. Mounting an internet enabled disk image containing a package file type will open it rather than revealing it in the Finder. This file quarantine feature helps to mitigate this issue by providing a warning dialog for unsafe file types. This issue is addressed through improved handling of package file types on internet enabled disk images.

Directory Services
An authorization issue in Directory Services’ handling of record names may allow a local user to obtain system privileges. This issue is addressed through improved authorization checks.

Dovecot
An access control issue exists in Dovecot when Kerberos authentication is enabled. This may allow an authenticated user to send and receive mail even if the user is not on the service access control list (SACL) of users who are permitted to do so. This issue is addressed through improved access control checks. This issue does not affect systems prior to Mac OS X v10.6.

Event Monitor
A reverse DNS lookup is performed on remote ssh clients that fail to authenticate. A plist injection issue exists in the handling of resolved DNS names. This may allow a remote attacker to cause arbitrary systems to be added to the firewall blacklist. This issue is addressed by properly escaping resolved DNS names.

FreeRADIUS
A certificate authentication issue exists in the default Mac OS X configuration of the FreeRADIUS server. A remote attacker may use EAP-TLS with an arbitrary valid certificate to authenticate and connect to a network configured to use FreeRADIUS for authentication. This issue is addressed by disabling support for EAP-TLS in the configuration. RADIUS clients should use EAP-TTLS instead. This issue only affects Mac OS X Server systems.

FTP Server
A directory traversal issue exists in FTP Server. This may allow a user to retrieve files outside the FTP root directory. This issue is addressed through improved handling of file names. This issue only affects Mac OS X Server systems.

iChat Server
An implementation issue exists in jabberd’s handling of SASL negotiation. A remote attacker may be able to terminate the operation of jabberd. This issue is addressed through improved handling of SASL negotiation. This issue only affects Mac OS X Server systems.

A design issue exists in iChat Server’s support for configurable group chat logging. iChat Server only logs messages with certain message types. This may allow a remote user to send a message through the server without it being logged. The issue is addressed by removing the capability to disable group chat logs, and logging all messages that are sent through the server. This issue only affects Mac OS X Server systems.

A use-after-free issue exists in iChat Server. An authenticated user may be able to cause an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. This issue only affects Mac OS X Server systems, and does not affect versions 10.6 or later.

Multiple stack buffer overflow issues exist in iChat Server. An authenticated user may be able to cause an unexpected application termination or arbitrary code execution. These issues are addressed through improved memory management. These issues only affect Mac OS X Server systems.

ImageIO
A heap buffer overflow exists in the handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.

An uninitialized memory access issue exists in ImageIO’s handling of BMP images. Visiting a maliciously crafted website may result in sending data from Safari’s memory to the website. This issue is addressed through improved memory initialization and additional validation of BMP images.

An uninitialized memory access issue exists in ImageIO’s handling of TIFF images. Visiting a maliciously crafted website may result in sending data from Safari’s memory to the website. This issue is addressed through improved memory initialization and additional validation of TIFF images.

A memory corruption issue exists in the handling of TIFF images. Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling. This issue does not affect systems prior to Mac OS X v10.6.

Image RAW
A buffer overflow exists in Image RAW’s handling of NEF images. Viewing a maliciously crafted NEF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. This issue does not affect Mac OS X v10.6 systems.

A buffer overflow exists in Image RAW’s handling of PEF images. Viewing a maliciously crafted PEF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.

Libsystem
A buffer overflow exists in the floating point binary to text conversion code within Libsystem. An attacker who can cause an application to convert a floating point value into a long string, or to parse a maliciously crafted string as a floating point value, may be able to cause an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.

Mail
When a mail account is deleted, user-defined filter rules associated with that account remain active. This may result in unexpected actions. This issue is addressed by disabling associated rules when a mail account is deleted.

A logic issue exists in Mail’s handling of encryption certificates. When multiple certificates for the recipient exist in the keychain, Mail may select an encryption key that is not intended for encipherment. This may lead to a security issue if the chosen key is weaker than expected. This issue is addressed by ensuring that the key usage extension within certificates is evaluated when selecting a mail encryption key.

Mailman
Multiple cross-site scripting issues exist in Mailman 2.1.9. These issues are addressed by updating Mailman to version 2.1.13. These issues only affect Mac OS X Server systems, and do not affect versions 10.6 or later.

MySQL
MySQL is updated to version 5.0.88 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. These issues only affect Mac OS X Server systems.

OS Services
A privilege escalation issue exists in SFLServer, as it runs as group ‘wheel’ and accesses files in users’ home directories. This issue is addressed through improved privilege management.

Password Server
An implementation issue in Password Server’s handling of replication may cause passwords to not be replicated. A remote attacker may be able to log in to a system using an outdated password. This issue is addressed through improved handling of password replication. This issue only affects Mac OS X Server systems.

perl
Multiple race condition issues exist in the rmtree function of the perl module File::Path. A local user with write access to a directory that is being deleted may cause arbitrary files to be removed with the privileges of the perl process. This issue is addressed through improved handling of symbolic links. This issue does not affect Mac OS X v10.6 systems.

PHP
PHP is updated to version 5.3.1 to address multiple vulnerabilities, the most serious of which may lead to arbitary code execution.

PHP is updated to version 5.2.12 to address multiple vulnerabilities, the most serious of which may lead to cross-site scripting.

Podcast Producer
When a Podcast Composer workflow is overwritten, the access restrictions are removed. This may allow an unauthorized user to access a Podcast Composer workflow. This issue is addressed through improved handling of workflow access restrictions. Podcast Composer was introduced in Mac OS X Server v10.6.

Preferences
An implementation issue exists in the handling of system login restrictions for network accounts. If the network accounts allowed to log in to the system at the Login Window are identified by group membership only, the restriction will not be enforced, and all network users will be allowed to log in to the system. The issue is addressed through improved group restriction management in the Accounts preference pane. This issue only affects systems configured to use a network account server, and does not affect systems prior to Mac OS X v10.6.

PS Normalizer
A stack buffer overflow exists in the handling of PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of PostScript files. On Mac OS X v10.6 systems this issue is mitigated by the -fstack-protector compiler flag.

QuickTime
A heap buffer overflow exists in QuickTime’s handling of H.263 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of H.263 encoded movie files.

A heap buffer overflow exists in the handling of H.261 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of H.261 encoded movie files.

A memory corruption in the handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of H.264 encoded movie files.

A heap buffer overflow in the handling of RLE encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of RLE encoded movie files.

A heap buffer overflow in the handling of M-JPEG encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of M-JPEG encoded movie files.

A memory corruption issue exists in the handling of Sorenson encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of Sorenson encoded movie files.

An integer overflow exists in the handling of FlashPix encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.

A heap buffer overflow exists in the handling of FLC encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of FLC encoded movie files.

A heap buffer overflow exists in the handling of MPEG encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of MPEG encoded movie files.

Ruby
Multiple vulnerabilities exist in Ruby on Rails, the most serious of which may lead to cross-site scripting. On Mac OS X v10.6 systems, these issues are addressed by updating Ruby on Rails to version 2.3.5. Mac OS X v10.5 systems are affected only by CVE-2009-4214, and this issue is addressed through improved validation of arguments to strip_tags.

A stack exhaustion issue exists in Ruby’s handling of BigDecimal objects with very large values. Running a Ruby script that uses untrusted input to initialize a BigDecimal object may lead to an unexpected application termination. For Mac OS X v10.6 systems, this issue is addressed by updating Ruby to version 1.8.7-p173. For Mac OS v10.5 systems, this issue is addressed by updating Ruby to version 1.8.6-p369.

Server Admin
A design issue exists in the handling of authenticated directory binding. A remote attacker may be able to anonymously extract information from Open Directory, even if the “Require authenticated binding between directory and clients” option is enabled. The issue is addressed by removing this configuration option. This issue only affects Mac OS X Server systems.

A user who is removed from the ‘admin’ group may still connect to the server using screen sharing. This issue is addressed through improved handling of administrator privileges. This issue only affects Mac OS X Server systems, and does not affect version 10.6 or later. Credit: Apple.

SMB
An infinite loop issue exists in Samba’s handling of SMB ‘oplock’ break notifications. A remote attacker may be able to trigger an infinite loop in smbd, causing it to consume excessive CPU resources. The issue is addressed through improved handling of ‘oplock’ break notifications.

Tomcat
Tomcat is updated to version 6.0.24 to address multiple vulnerabilities, the most serious of which may lead to a cross site scripting attack. Tomcat is only provided on Mac OS X Server systems.

unzip
An uninitialized pointer issue exists is the handling of zip files. Extracting maliciously crafted zip files using the unzip command tool may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of zip files. This issue does not affect Mac OS X v10.6 systems.

vim
Multiple vulnerabilities exist in vim 7.0, the most serious of which may lead to arbitrary code execution when working with maliciously crafted files. These issues are addressed by updating to vim 7.2.102. These issues do not affect Mac OS X v10.6 systems.

Wiki Server
Wiki Server allows users to upload active content such as Java applets. A remote attacker may obtain sensitive information by uploading a maliciously crafted applet and directing a Wiki Server user to view it. The issue is addressed by using a special one-time authentication cookie which is only useable to download a particular attachment. This issue only affects Mac OS X Server systems, and does not affect versions 10.6 or later.

Wiki Server supports service access control lists (SACLs), allowing an administrator to control the publication of content. Wiki Server fails to consult the weblog SACL during the creation of a user’s weblog. This may allow an authenticated user to publish content to the Wiki Server, even though publication should be disallowed by the service ACL. This issue does not affect systems prior to Mac OS X v10.6.

X11
libpng is updated to version 1.2.37 to address an issue that may result in the disclosure of sensitive information.

The xterm program supports a command sequence to change the window title, and to print the window title to the terminal. The information returned is provided to the terminal as though it were keyboard input from the user. Within an xterm terminal, displaying maliciously crafted data containing such sequences may result in command injection. The issue is addressed by disabling the affected command sequence.

xar
A design issue exists in xar when validating a package signature. This may allow a modified package to appear as validly signed. This issue is fixed through improved package signature validation. This issue does not affect Mac OS X v10.6 systems.