Technical Description

Apple has released security updates to address thirty-one vulnerabilities identified in Mac OS X. These flaws could be exploited by attackers to execute arbitrary commands, bypass security restrictions, disclose sensitive information, or cause a denial of service.

The first issue is due to an error in the "NSSecureTextField" class that fails to properly re-enable secure event input when switching between text input fields, which could cause characters entered into a secure text field to be read by other applications in the same window session.

The second flaw is due to buffer overflow errors in the ImageIO framework that does not properly handle malformed GIF or TIFF images, which could be exploited by attackers to compromise a vulnerable system via a specially crafted image. For additional information, see : VUPEN/ADV-2006-1452

The third vulnerability is due to an error in BOM when processing malformed archives (e.g. Zip) containing overly long path names, which could be exploited by attackers to crash a vulnerable application or execute arbitrary commands via a malicious archive. For additional information, see : VUPEN/ADV-2006-1452

The fourth issue is due to an input validation error in BOM when handling archives containing directory traversal symbolic links, which could be exploited by attackers to create or overwrite files in arbitrary locations by tricking a user into expanding a malicious archive.

The fifth flaw is due to an integer overflow error in CFNetwork when handling chunked transfer encoding, which could be exploited by malicious web sites to compromise a vulnerable system.

The sixth flaw is due to integer overflow, format string, and memory corruption errors in ClamAV, which could be exploited by attackers or malware to execute arbitrary commands or cause a denial of service. For additional information, see : VUPEN/ADV-2006-1258

The seventh vulnerability is due to an error in the bundle API that allows dynamic libraries to load and execute when a bundle is registered even if the client application does not explicitly request it, which could be exploited by attackers to execute arbitrary code from an untrusted bundle without user interaction.

The eighth flaw is due to an integer overflow error in the "CFStringGetFileSystemRepresentation" API during string conversions to file system representation, which could be exploited to execute arbitrary commands.

The ninth issue is due to an error in the "Enable access for assistive devices" feature, which could be exploited by malicious applications to intercept characters entered into a secure text field in the same window session.

The tenth flaw is due to an error in Finder that does not properly restrict URL schemes when processing Internet Location items, which could be exploited by attackers to execute arbitrary code by convincing a user to launch a supposedly benign URL.

The eleventh issue is due to buffer overflow errors in FTPServer when handling specially crafted path names, which could be exploited by authenticated attackers to compromise a vulnerable FTP server.

The twelfth flaw is due to memory corruption errors in Macromedia Flash Player, which could be exploited by remote attackers to compromise a vulnerable system via a specially crafted web page or SWF file. For additional information, see : VUPEN/ADV-2006-0952 - VUPEN/ADV-2005-2317

The thirteenth issue is due to an integer overflow error in ImageIO when processing malfomred JPEG metadata, which could be exploited by attackers to execute arbitrary commands via a malicious image or web page.

The fourteenth flaw is due to an error in Keychain that does not properly restrict access to locked items, which could be exploited by an application to continue using a Keychain item regardless of whether the Keychain is locked or unlocked.

The fifteenth vulnerability is due to an error in LaunchServices that does not correctly validate overly long file name extensions, which could be exploited by malicious web sites to bypass the "Download Validation" feature and cause Safari to automatically open unsafe content if the "Open safe files after downloading" option is enabled and certain applications are not installed.

The sixteenth flaw is due to a buffer overflow error in libcurl when handling an overly long URL, which could be exploited by attackers to execute arbitrary commands. For additional information, see : VUPEN/ADV-2005-2791

The seventeenth issue is due to an integer overflow error in Mail when handling malformed MacMIME encapsulated attachments, which may lead to arbitrary code execution when viewing a malicious email message.

The eighteenth flaw is due to an error in Mail when handling enriched text email messages containing invalid color information, which could be exploited by attackers to execute arbitrary commands via a malicious email message.

The nineteenth vulnerability is due to an error in MySQL that does nor properly set the root password during the initial setup, which could allow local users to gain access to a vulnerable database with full privileges.

The twentieth issue is due to a stack overflow error in Preview when navigating very deep directory hierarchies, which could be exploited by attackers to execute arbitrary code via malicious directories.

The twenty-first issue is due to a stack overflow error in QuickDraw when processing PICT images containing malformed font information, which could be exploited by malicious web sites to compromise a vulnerable system.

The twenty-second flaw is due to a heap overflow error in QuickDraw when processing malformed PICT images, which could be exploited by malicious web sites to compromise a vulnerable system.

The twenty-third issue is due to a null pointer dereference error in QuickTime Streaming Server when processing a QuickTime movie that has a missing track, which could be exploited by attackers to crash a vulnerable server.

The twenty-fourth flaw is due to a buffer overflow error in QuickTime Streaming Server when logging RTSP requests, which could be exploited by remote attackers to crash or compromise a vulnerable server.

The twenty-fifth issue is due to an error in Ruby that fails to properly enforce safe level protections, which could be exploited by attackers to bypass security restrictions and execute arbitrary code. For additional information, see : VUPEN/ADV-2005-1984

The twenty-sixth issue is due to an error in Safari that does not properly validate downloaded archives before being automatically expanded when the "Open safe files after downloading" option is enabled, which could be exploited by attackers to compromise a vulnerable system via a malicious archive containing a symbolic link.

Affected Products

Apple Mac OS X version 10.4.6 and prior
Apple Mac OS X Server version 10.4.6 and prior
Apple Mac OS X version 10.3.9 and prior
Apple Mac OS X Server version 10.3.9 and prior

Solution

Security Update 2006-003 for Mac OS X 10.4.6 Client (PPC) :
http://www.apple.com/support/downloads/securityupdate2006003macosx1046clientppc.html
Security Update 2006-003 for Mac OS X 10.4.6 Client (Intel) :
http://www.apple.com/support/downloads/securityupdate2006003macosx1046clientintel.html
Security Update 2006-003 for Mac OS X 10.3.9 Client :
http://www.apple.com/support/downloads/securityupdate20060031039client.html
Security Update 2006-003 for Mac OS X 10.4.6 Server :
http://www.apple.com/support/downloads/securityupdate20060031046server.html
Security Update 2006-003 for Mac OS X 10.3.9 Server :
http://www.apple.com/support/downloads/securityupdate20060031039server.html

References

http://www.vupen.com/english/advisories/2006/1779
http://docs.info.apple.com/article.html?artnum=303737

Credits

Vulnerabilities reported by Damien Bobillot, Brent Simmons (NewsGator Technologies), Tobias Hahn (HU Berlin), Ben Low (University of New South Wales), Mike Price (McAfee AVERT Labs), and Mu Security research team.

ChangeLog

2006-05-11 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.