The Security Pub

Random Thoughts About Security

Category Archives: Apple Patch

Apples Safari Browser 4.04 is now available

safari_patchApple today shipped Safari 4.0.4 to fix a total of seven security flaws that expose Windows and Mac users to a wide range of malicious hacker attacks.

The high-priority update patches vulnerabilities that allow remote code execution (drive-by downloads) if a user simply surfs to a maliciously rigged Web site. Some of the issues affect Microsoft’s new Windows 7 operating system.

Here are the details from an Apple advisory:

  • ColorSync (CVE-2009-2804) — Available for Windows 7, Windows Vista and Windows XP — An integer overflow exists in the handling of images with an embedded color profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution. This vulnerability was internally discovered by Apple.
  • libxml CVE-2009-2414 and CVE-2009-2416 — Available for: Mac OS X Windows 7, Windows Vista and Windows XP — Multiple use-after-free issues exist in libxml2, the most serious of which may lead to an unexpected application termination. This update addresses the issues through improved memory handling. The issues have already been addressed in Mac OS X 10.6.2, and in Security Update 2009-006 for Mac OS X 10.5.8 systems.
  • Safari — CVE-2009-2842 — Available for: Mac OS X, Windows 7, Windows Vista and Windows XP — An issue exists in Safari’s handling of navigations initiated via the “Open Image in New Tab”, “Open Image in New Window”, or “Open Link in New Tab” shortcut menu options. Using these options within a maliciously crafted website could load a local HTML file, leading to the disclosure of sensitive information.
  • WebKit — CVE-2009-2816 — Available for Mac OS X, Windows 7, Windows Vista and Windows XP — An issue exists in WebKit’s implementation of Cross-Origin Resource Sharing. Before allowing a page from one origin to access a resource in another origin, WebKit sends a preflight request to the latter server for access to the resource. WebKit includes custom HTTP headers specified by the requesting page in the preflight request. This can facilitate cross-site request forgery. Internally discovered by Apple.
  • WebKit — CVE-2009-3384 — Available for Windows 7, Windows Vista and Windows XP — Multiple vulnerabilities exist in WebKit’s handling of FTP directory listings. Accessing a maliciously crafted FTP server may lead to information disclosure, unexpected application termination, or execution of arbitrary code. This update addresses the issues through improved parsing of FTP directory listings. These issues do not affect Safari on Mac OS X systems.
  • WebKit — CVE-2009-2841 — Available for Mac OS X (client and server) — When WebKit encounters an HTML 5 Media Element pointing to an external resource, it does not issue a resource load callback to determine if the resource should be loaded. This may result in undesired requests to remote servers. As an example, the sender of an HTML-formatted email message could use this to determine that the message was read. This issue is addressed by generating resource load callbacks when WebKit encounters an HTML 5 Media Element. This issue does not affect Safari on Windows systems.

The browser update is being pushed to Mac and Windows systems via Apple’s software update utilities. Alternatively, Safari users can download the patches from Apple’s download site.

Apple has 58 fixes in the Mac OS X Update

mac_os_x_patchApple has dropped another mega-patch to cover a total of 58 documented vulnerabilities affecting the Mac OS X ecosystem.

The majority of the flaws could allow a remote attacker to gain complete control of an unpatched system, meaning that this update carries an “extremely critical rating.”

It includes patches for open-source components like Apache and PHP and security holes in the QuickTime media player.

Here’s a glimpse of some of the more serious issues covered in the Security Update 2009-006/Mac OS X v10.6.2 patch bundle:

  • AFP Client — Multiple memory corruption issues exist in AFP Client. Connecting to a malicious AFP Server may cause an unexpected system termination or arbitrary code execution with system privileges.
  • Apache — Apache is updated to version 2.2.13 to address several vulnerabilities, the most serious of which may lead to privilege escalation. A separate patch corrects a flaw that allows an attacker to use the TRACE HTTP method in the Apache Web server to conduct cross-site scripting attacks through certain web client software.
  • Apache Portable Runtime — Multiple integer overflows in Apache Portable Runtime (apr) may lead to an unexpected application termination or arbitrary code execution.
  • ATS — Multiple buffer overflows exist in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.
  • CoreGraphics — Multiple integer overflows in CoreGraphics’ handling of PDF files may result in a heap buffer overflow. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.
  • CoreMedia — Memory corruption and heap buffer overflow issues exist in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution.
  • CUPS — An issue in CUPS may lead to cross-site scripting and HTTP response splitting. Accessing a maliciously crafted web page or URL may allow an attacker to access content available to the current local user via the CUPS web interface. This could include print system configuration and the titles of jobs that have been printed.
  • Dictionary — A design issue in Dictionary allows maliciously crafted Javascript to write arbitrary data to arbitary locations on the user’s filesystem. This may allow another user on the local network to execute arbitrary code on the user’s system.
  • DirectoryService — A memory corruption issue exists in DirectoryService. This may allow a remote attacker to cause an unexpected application termination or arbitrary code execution. This update only affects systems configured as DirectoryService servers.
  • Disk Images — A heap buffer overflow exists in the handling of disk images containing FAT filesystems. Downloading a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution.
  • Dovecot — Multiple buffer overflows exist in dovecot-sieve. By implementing a maliciously crafted dovecot-sieve script, a local user may cause an unexpected application termination or arbitrary code execution with system privileges.
  • ImageIO — A buffer underflow exists in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • Kernel — Multiple input validation issues exist in Kernel’s handling of task state segments. These may allow a local user to cause information disclosure, an unexpected system shutdown, or arbitrary code execution.