__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Apple Security Update 2005-009 [APPLE-SA-2005-11-29 Security Update 2005-009] November 30, 2005 18:00 GMT Number Q-064 ______________________________________________________________________________ PROBLEM: Apple has released a security update that addresses 13 vulnerabilities. PLATFORM: Mac OS X 10.3.9 Client and Server Mac OS X 10.4.4 Client and Server DAMAGE: Exploiting the vulnerabilities may result in the following: security bypass, cross site scripting, spoofing, manipulation of data, exposure of sensitive information, privilege escalation, DoS, and system access. SOLUTION: Apply the available security update. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The worst of the vulnerabilities may allow a ASSESSMENT: remote attacker to execute arbitrary code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-064.shtml ORIGINAL BULLETIN: http://docs.info.apple.com/article.html?artnum=302847 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-2088, CVE-2005-2700, CVE-2005-2757, CVE-2005-3185, CVE-2005-3700, CVE-2005-2969, CVE-2005-3701, CVE-2005-2491, CVE-2005-3702, CVE-2005-3703, CVE-2005-3705, CVE-2005-1993, CVE-2005-3704 ______________________________________________________________________________ [***** Start APPLE-SA-2005-11-29 Security Update 2005-009 *****] About Security Update 2005-009 This document describes Security Update 2005-009, which can be downloaded and installed via Software Update preferences, or from Apple Downloads. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website. For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key." Where possible, CVE IDs are used to reference the vulnerabilities for further information. To learn about other Security Updates, see "Apple Security Updates." Security Update 2005-009 * Apache2 CVE-ID: CVE-2005-2088 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Cross-site scripting may be possible in certain configurations Description: The Apache 2 web server may allow an attacker to bypass protections using specially-crafted HTTP headers. This behavior is only present when Apache is used in conjunction with certain proxy servers, caching servers, or web application firewalls. This update addresses the issue by incorporating Apache version 2.0.55. * apache_mod_ssl CVE-ID: CVE-2005-2700 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS Xv10.4.3, Mac OS X Server v10.4.3 Impact: SSL client authentication may be bypassed in certain configurations Description: The Apache web server's mod_ssl module may allow an attacker unauthorized access to a resource that is configured to require SSL client authentication. Only Apache configurations that include the "SSLVerifyClient require" directive may be affected. This update address the issue by incorporating mod_ssl 2.8.24 and Apache version 2.0.55 (Mac OS X Server). * CoreFoundation CVE-ID: CVE-2005-2757 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Resolving a maliciously-crafted URL may result in crashes or arbitrary code execution Description: By carefully crafting a URL, an attacker can trigger a heap buffer overflow in CoreFoundation which may result in a crash or arbitrary code execution. CoreFoundation is used by Safari and other applications. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.4. * curl CVE-ID: CVE-2005-3185 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting a malicious HTTP server and using NTLM authentication may result in arbitrary code execution Description: Using curl with NTLM authentication enabled to download an HTTP resource may allow an attacker to supply an overlong user or domain name. This may cause a stack buffer overflow and lead to arbitrary code execution. This update addresses the issue by performing additional validation when using NTLM authentication. This issue does not affect systems prior to Mac OS X v10.4. * iodbcadmintool CVE-ID: CVE-2005-3700 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Local users may gain elevated privileges Description: The ODBC Administrator utility includes a helper tool called iodbcadmintool that executes with raised privileges. This helper tool contains a vulnerability that may allow local users to execute arbitrary commands with raised privileges. This update addresses the issue by providing an updated iodbcadmintool that is not susceptible. * OpenSSL CVE-ID: CVE-2005-2969 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Applications using OpenSSL may be forced to use the weaker SSLv2 protocol Description: Applications that do not disable SSLv2 or that enable certain compatibility options when using OpenSSL may be vulnerable to a protocol downgrade attack. Such attacks may cause an SSL connection to use the SSLv2 protocol which provides less protection than SSLv3 or TLS. Further information on this issue is available at http://www.openssl.org/news/secadv_20051011.txt. This update addresses the issue by incorporating OpenSSL version 0.9.7i. * passwordserver CVE-ID: CVE-2005-3701 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Local users on Open Directory master servers may gain elevated privileges Description: When creating an Open Directory master server, credentials may be compromised. This could lead to unprivileged local users gaining elevated privileges on the server. This update addresses the issue by ensuring the credentials are protected. * Safari CVE-ID: CVE-2005-2491 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Processing a regular expressions may result in arbitrary code execution Description: The JavaScript engine in Safari uses a version of the PCRE library that is vulnerable to a potentially exploitable heap overflow. This may lead to the execution of arbitrary code. This update addresses the issue by providing a new version of the JavaScript engine that incorporates more robust input validation. * Safari CVE-ID: CVE-2005-3702 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Safari may download files outside of the designated download directory Description: When files are downloaded in Safari they are normally placed in the location specified as the download directory. However, if a web site suggests an overlong filename for a download, it is possible for Safari to create this file in other locations. Although the filename and location of the downloaded file content cannot be directly specified by remote servers, this may still lead to downloading content into locations accessible to other users. This update addresses the issue by rejecting overlong filenames. * Safari CVE-ID: CVE-2005-3703 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: JavaScript dialog boxes in Safari may be misleading Description: In Safari, JavaScript dialog boxes do not indicate the web site that created them. This could mislead users into unintentionally disclosing information to a web site. This update addresses the issue by displaying the originating site name in JavaScript dialog boxes. Credit to Jakob Balle of Secunia Research for reporting this issue. * Safari CVE-ID: CVE-2005-3705 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting malicious web sites with WebKit-based applications may lead to arbitrary code execution Description: WebKit contains a heap overflow that may lead to the execution of arbitrary code. This may be triggered by content downloaded from malicious web sites in applications that use WebKit such as Safari. This update addresses the issue by removing the heap overflow from WebKit. Credit to Neil Archibald of Suresec LTD and Marco Mella for reporting this issue. * sudo CVE-ID: CVE-2005-1993 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Local users may be able to gain elevated privileges in certain sudo configurations Description: Sudo allows system administrators to grant users the ability to run specific commands with elevated privileges. Although the default configuration is not vulnerable to this issue, custom sudo configurations may not properly restrict users. Further information on this issue is available at http://www.sudo.ws/sudo/alerts/path_race.html. This update addresses the issue by incorporating sudo version 1.6.8p9. * syslog CVE-ID: CVE-2005-3704 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: System log entries may be forged Description: The system log server records syslog messages verbatim. By supplying control characters such as the newline character, a local attacker could forge entries with the intention to mislead the system administrator. This update addresses the issue by specially handling control characters and other non-printable characters. This issue does not affect systems prior to Mac OS X v10.4. Credit to HELIOS Software GmbH for reporting this issue. * Additional Information Also included in this update are enhancements to Safari to improve handling of credit card security codes (Mac OS X v10.3.9 and Mac OS X v10.4.3), CoreTypes to improve handling of Terminal files (Mac OS X v10.4.3), QuickDraw Manager to improve rendering of PICT files (Mac OS X v10.3.9), documentation regarding OpenSSH and PAM (Mac OS X v10.4.3), and ServerMigration to remove unneeded privileges. spacer Search Advanced Search | Help Email This Article Log in to send email Did this article help you? It solved my issue... Tell us what works for you. It's good, but... Report typos, inaccuracies, etc. It wasn't helpful... Tell us what would have helped. Languages This article is available in the following languages: * English Keywords: ktech kmosx4 kmosx3 Article ID: 302847 Date Created: November 14, 2005 Date Modified: November 29, 2005 [***** End APPLE-SA-2005-11-29 Security Update 2005-009 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Apple for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-054: gdk-pixbuf security update Q-055: phpsysinfo Q-056: fetchmail -- programming error Q-057: unzip -- race condition Q-058: netpbm-free -- buffer overflows Q-059: Vulnerability in the way Internet Explorer Handles onLoad Events Q-060: Solaris 10 traceroute Vulnerability Q-061: JMX in JRE 5 Untrusted Applet May Elevate Privileges Q-062: Cisco PIX Spoofed TCP SYN Packets Block TCP Connections Q-063: Cisco Security Agent Allows Execution of Arbitrary Code