Multiple vulnerabilities have been identified in Apple Mac OS X, which could be exploited by remote or local attackers to cause a denial of service, disclose sensitive information, bypass security restrictions or compromise an affected system. These issues are caused by implementation, data validation, and buffer overflow errors in AFP Client, AFP Server, Apache, AppKit, Application Firewall, CFNetwork, ClamAV, CoreFoundation, CoreServices, CUPS, curl, Emacs, file, Foundation, Help Viewer, Image Raw, Kerberos, libc, mDNSResponder, notifyd, OpenSSH, pax, PHP, Podcast Producer, Preview, Printing, System Configuration, UDF, Wiki Server, and X11, which could be exploited by attackers to bypass security checks, gain knowledge of sensitive information, cause a denial of service or execute arbitrary commands or scripting code. For additional information, see : VUPEN/ADV-2005-2791 - VUPEN/ADV-2005-2870 - VUPEN/ADV-2006-2585 - VUPEN/ADV-2006-3017 - VUPEN/ADV-2006-4521 - VUPEN/ADV-2006-4948 - VUPEN/ADV-2007-0623 - VUPEN/ADV-2007-1040 - VUPEN/ADV-2007-1378 - VUPEN/ADV-2007-1838 - VUPEN/ADV-2007-2509 - VUPEN/ADV-2007-2952 - VUPEN/ADV-2007-3020 - VUPEN/ADV-2007-3156 - VUPEN/ADV-2007-3337 - VUPEN/ADV-2007-3390 - VUPEN/ADV-2007-3715 - VUPEN/ADV-2007-3725 - VUPEN/ADV-2007-3825 - VUPEN/ADV-2007-4060 - VUPEN/ADV-2007-4201 - VUPEN/ADV-2007-4253 - VUPEN/ADV-2008-0047 - VUPEN/ADV-2008-0048 - VUPEN/ADV-2008-0059 - VUPEN/ADV-2008-0179 - VUPEN/ADV-2008-0503 - VUPEN/ADV-2008-0623 - VUPEN/ADV-2008-0921 - VUPEN/ADV-2008-0922
Affected Products
Apple Mac OS X version 10.4.11 and prior
Apple Mac OS X Server version 10.4.11 and prior
Apple Mac OS X version 10.5.2 and prior
Apple Mac OS X Server version 10.5.2 and prior
Solution
Apply Security Update 2008-002 v1.0 (PPC) :
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Apply Security Update 2008-002 v1.0 (Universal) :
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Apply Security Update 2008-002 v1.0 (Leopard) :
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Apply Security Update 2008-002 v1.0 Server (Leopard) :
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Apply Security Update 2008-002 v1.0 Server (PPC) :
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Apply Security Update 2008-002 v1.0 Server (Universal) :
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
References
http://www.vupen.com/english/advisories/2008/0924
http://docs.info.apple.com/article.html?artnum=307562
Credits
Vulnerabilities reported by Ragnar Sundblad (KTH - Royal Institute of Technology), regenrecht, VeriSign iDefense Labs, Colin Percival (FreeBSD security team), Daniel Jalkut (Red Sweater Software), Brian Mastenbrook, Clint Ruoho (Laconic Security), Mike Ash (Rogue Amoeba Software), Maximilian Reiss (Chair for Applied Software Engineering, TUM), Paul Wagland (Redwood Software), Wayne Linder (Iomega), and Rodrigo Carvalho (CORE Security Technologies).
ChangeLog
2008-03-19 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form.
