===================================================================== CERT-Renater Note d'Information No. 2006/VULN511 _____________________________________________________________________ DATE : 04/10/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Mac OS X. ====================================================================== APPLE-SA-2006-09-29 Mac OS X v10.4.8 and Security Update 2006-006 Mac OS X v10.4.8 and Security Update 2006-006 are now available and provide fixes for the following security issues. Mac OS X v10.4.8 also provides additional functionality changes, and information is available in its release note. The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.4.8 or Security Update 2006-006. CFNetwork CVE-ID: CVE-2006-4390 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: CFNetwork clients such as Safari may allow unauthenticated SSL sites to appear as authenticated Description: Connections created using SSL are normally authenticated and encrypted. When encryption is implemented without authentication, malicious sites may be able to pose as trusted sites. In the case of Safari this may lead to the lock icon being displayed when the identity of a remote site cannot be trusted. This update addresses the issue by disallowing anonymous SSL connections by default. Credit to Adam Bryzak of Queensland University of Technology for reporting this issue. Flash Player CVE-ID: CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Playing Flash content may lead to arbitrary code execution Description: Adobe Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when handling maliciously-crafted content. This update addresses the issues by incorporating Flash Player version 9.0.16.0 on Mac OS X v10.3.9 and Flash Player version 9.0.20.0 on Mac OS X v10.4 systems. Further information is available via the Adobe web site at: http://www.adobe.com/support/security/bulletins/apsb06-11.html ImageIO CVE-ID: CVE-2006-4391 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Viewing a maliciously-crafted JPEG2000 image may lead to an application crash or arbitrary code execution Description: By carefully crafting a corrupt JPEG2000 image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the image by performing additional validation of JPEG2000 images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Tom Saxton of Idle Loop Software Design for reporting this issue. Kernel CVE-ID: CVE-2006-4392 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Local users may be able to run arbitrary code with raised privileges Description: An error handling mechanism in the kernel, known as Mach exception ports, provides the ability to control programs when certain types of errors are encountered. Malicious local users could use this mechanism to execute arbitrary code in privileged programs if an error is encountered. This update addresses the issue by restricting access to Mach exception ports for privileged programs. Credit to Dino Dai Zovi of Matasano Security for reporting this issue. LoginWindow CVE-ID: CVE-2006-4397 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: After an unsuccessful attempt to log in to a network account, Kerberos tickets may be accessible to other local users Description: Due to an unchecked error condition, Kerberos tickets may not be properly destroyed after unsuccessfully attempting to log in to a network account via loginwindow. This could result in unauthorized access by other local users to a previous user's Kerberos tickets. This update addresses the issue by clearing the credentials cache after failed logins. This issue does not affect systems prior to Mac OS X v10.4. Credit to Patrick Gallagher of Digital Peaks Corporation for reporting this issue. LoginWindow CVE-ID: CVE-2006-4393 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Kerberos tickets may be accessible to other local users if Fast User Switching is enabled Description: An error in the handling of Fast User Switching may allow a local user to gain access to the Kerberos tickets of other local users. Fast User Switching has been updated to prevent this situation. This issue does not affect systems prior to Mac OS X v10.4. Credit to Ragnar Sundblad of the Royal Institute of Technology, Stockholm, Sweden for reporting this issue. LoginWindow CVE-ID: CVE-2006-4394 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Network accounts may be able to bypass loginwindow service access controls Description: Service access controls can be used to restrict which users are allowed to log in to a system via loginwindow. A logic error in loginwindow allows network accounts without GUIDs to bypass service access controls. This issue only affects systems that have been configured to use service access controls for loginwindow and to allow network accounts to authenticate users without a GUID. The issue has been resolved by properly handling service access controls in loginwindow. This issue does not affect systems prior to Mac OS X v10.4. Preferences CVE-ID: CVE-2006-4387 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: After removing an account's Admin privileges, the account may still manage WebObjects applications Description: Clearing the "Allow user to administer this computer" checkbox in System Preferences may fail to remove the account from the appserveradm or appserverusr groups. These groups allow an account to manage WebObjects applications. This update addresses the issue by ensuring the account is removed from the appropriate groups. This issue does not affect systems prior to Mac OS X v10.4. Credit to Phillip Tejada of Fruit Bat Software for reporting this issue. QuickDraw Manager CVE-ID: CVE-2006-4395 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Opening a malicious PICT image with certain applications may lead to an application crash or arbitrary code execution Description: Certain applications invoke an unsupported QuickDraw operation to display PICT images. By carefully crafting a corrupt PICT image, an attacker can trigger memory corruption in these applications, which may lead to an application crash or arbitrary code execution. This update addresses the issue by preventing the unsupported operation. SASL CVE-ID: CVE-2006-1721 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Remote attackers may be able to cause an IMAP server denial of service Description: An issue in the DIGEST-MD5 negotiation support in Cyrus SASL can lead to a segmentation fault in the IMAP server with a maliciously-crafted realm header. This update addresses the issue through improved handling of realm heders in authentication attempts. WebCore CVE-ID: CVE-2006-3946 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Viewing a maliciously-crafted web page may lead to arbitrary code execution Description: A memory management error in WebKit's handling of certain HTML could allow a malicious web site to cause a crash or potentially execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow. Credit to Jens Kutilek of Netzallee for reporting this issue. Workgroup Manager CVE-ID: CVE-2006-4399 Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Accounts in a NetInfo parent that appear to use ShadowHash passwords may still use crypt Description: Workgroup Manager appears to allow switching authentication type from crypt to ShadowHash passwords in a NetInfo parent, when in actuality it does not. Refreshing the view of an account in a NetInfo parent will properly indicate that crypt is still being used. This update addresses the issue by disallowing administrators from selecting ShadowHash passwords for accounts in a NetInfo parent. Credit to Chris Pepper of The Rockefeller University for reporting this issue. Mac OS X v10.4.8 and Security Update 2006-006 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.4.8 or Security Update 2006-006. For Mac OS X v10.3.9 The download file is named: "SecUpd2006-006Pan.dmg" Its SHA-1 digest is: fddff89d465bd850bb32573857a1dcc66b415a01 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2006-006Pan.dmg" Its SHA-1 digest is: 0be0cb9ef603c6d093d863193aa8c83964c110c3 For Mac OS X v10.4.7 (PowerPC) The download file is named: "MacOSXUpd10.4.8PPC.dmg" Its SHA-1 digest is: 982d70a52099297e322ba8e4540ef6d30fa5673a For Mac OS X v10.4 (PowerPC) through v10.4.6 (PowerPC) The download file is named: "MacOSXUpdCombo10.4.8PPC.dmg" Its SHA-1 digest is: dfa38c7d99ba103d4b0460859e03bc8437690bd2 For Mac OS X v10.4.7 (Intel) The download file is named: "MacOSXUpd10.4.8Intel.dmg" Its SHA-1 digest is: 540955d0c2c7d4b11a3a6951003f02d6b46e8d2d For Mac OS X v10.4.4 (Intel) through v10.4.6 (Intel) The download file is named: "MacOSXUpdCombo10.4.8Intel.dmg" Its SHA-1 digest is: 46ed3360238415adc1612440dda8f58c1443cb37 For Mac OS X Server v10.4.7 (PowerPC) The download file is named: "MacOSXServerUpd10.4.8PPC.dmg" Its SHA-1 digest is: c2e7b6483cc2a873c838aa97e629b07d147aa679 For Mac OS X Server v10.4.7 (Universal) The download file is named: "MacOSXServerUpd10.4.8Univ.dmg" Its SHA-1 digest is: fb4abd5d926704f6ed73018189e6ce6e0d8be1fd For Mac OS X Server v10.4 through v10.4.6 (PowerPC) The download file is named: "MacOSXSrvrCombo10.4.8PPC.dmg" Its SHA-1 digest is: c84e2cb0ccf1d71b976026d35266c693d7e71954 Information will also be posted to the Apple Security Updates web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================