Multiple vulnerabilities have been identified in Apple Mac OS X, which could be exploited by remote or local attackers to disclose sensitive information, bypass security restrictions, cause a denial of service or compromise an affected system.
The first vulnerability, discovered by VUPEN Security, is caused due to a heap overflow error in QuickDraw when handling malformed PICT images, which could be exploited by attackers to execute arbitrary code.
The second issue is caused by memory corruption errors in the AFP Client when handling reponses received from a server, which could be exploited to crash an affected client or execute arbitrary code by tricking a user into connecting to a malicious AFP server.
The third weakness is caused by an error in the Adaptive Firewall that fails to detect SSH login attempts using invalid user names, which could facilite brute-force attacks.
The fourth issue is caused by an input validation error in Apache when handling the TRACE HTTP method, which could allow cross site scripting attacks.
The fifth vulnerability is caused by buffer overflow errors in Apple Type Services when handling embedded fonts, which could be exploited to execute arbitrary code via a specially crafted document.
The sixth issue is caused by an error in the Certificate Assistant when processing SSL certificates which have NULL characters in the Common Name field, which could allow spoofing attacks.
The seventh vulnerability is caused by integer overflow errors in CoreGraphics when handling malformed PDF files, which could be exploited to execute arbitrary code by tricking a user into opening a malicious PDF.
The eighth issue is caused by a memory corruption error in CoreMedia when processing a malformed H.264 movie, which could be exploited by attackers to execute arbitrary code via a malicious movie.
The ninth vulnerability is caused by a heap overflow error in CoreMedia when processing a malformed H.264 movie, which could be exploited by attackers to execute arbitrary code via a malicious movie.
The tenth issue is caused by a design error in Dictionary, which could allow attackers on the local network to write arbitrary data to arbitary locations on a vulnerable filesystem via a specially crafted Javascript code.
The eleventh vulnerability is caused by an unspecified memory corruption error in DirectoryService, which could allow attackers to compromise systems configured as DirectoryService servers.
The twelfth issue is caused by a heap buffer overflow error within the handling of disk images containing FAT filesystems, which could be exploited to execute arbitrary code by tricking a user into downloading a malicious disk image.
The thirteenth issue is caused by an input validation error in the Event Monitor when logging authentication information, which could allow remote attackers to cause a denial of service via log injections.
The fourteenth vulnerability is caused by buffer overflow errors in the file command line tool when processing a malformed Common Document Format (CDF) file, which could be exploited to execute arbitrary code.
The fifteenth issue is caused by a buffer overflow error in the FTP Server when issuing a CWD command on a deeply nested directory hierarchy, which could be exploited to execute arbitrary code.
The sixteenth weakness is caused due to the Help Viewer not using HTTPS for viewing remote Apple Help content, which could allow an attacker on the local network to send spoofed HTTP responses containing malicious "help:runscript" links, potentially leading to arbitrary code execution.
The seventeenth vulnerability is caused by a buffer overflow error in the UCCompareTextDefault API, which could be exploited to execute arbitrary code.
The eighteenth issue is caused due to IOKit not requiring system privileges to send firmware to USB or Bluetooth Apple keyboards, which could allow an unprivileged user to alter the firmware in an attached device.
The nineteenth vulnerability is caused due to input validation errors in Kernel's handling of task state segments, which could allow local attackers to disclose certain information, cause a denial of service or gain elevated privileges.
The twentieth issue is caused due to Launch Services not triggering a user warning prior to opening unsafe downloaded content, which could lead to arbitrary code execution.
The twenty-first issue is caused by a race condition in the Login Window, which may allow a user to log in to any account without supplying a password.
The twenty-second vulnerability is caused by an integer overflow error in QuickLook when handling malformed MS Office files, which could allow attackers to execute arbitrary code.
The twenty-third issue is caused by memory corruption errors in the Screen Sharing client when accessing a malicious VNC server e.g. by opening a vnc:// URL, which could be exploited to execute arbitrary code.
The twenty-fourth vulnerability is caused due to an error in Spotlight when handling temporary files, which could allow a local user to overwrite files with the privileges of another user.
Various other vulnerabilities related to Apache, APR, CUPS, Dovecot, Fetchmail, LibTIFF, IPSec, libsecurity, libxml, OpenLDAP, OpenSSH, PHP, QuickTime, FreeRADIUS and Subversion, have also been reported. For additional information, see : VUPEN/ADV-2007-3645 - VUPEN/ADV-2008-0536 - VUPEN/ADV-2008-2378 - VUPEN/ADV-2008-3172 - VUPEN/ADV-2009-1147 - VUPEN/ADV-2009-1444 - VUPEN/ADV-2009-1501 - VUPEN/ADV-2009-1637 - VUPEN/ADV-2009-1773 - VUPEN/ADV-2009-1841 - VUPEN/ADV-2009-2085 - VUPEN/ADV-2009-2155 - VUPEN/ADV-2009-2179 - VUPEN/ADV-2009-2180 - VUPEN/ADV-2009-2220 - VUPEN/ADV-2009-2584 - VUPEN/ADV-2009-2600 - VUPEN/ADV-2009-2641 - VUPEN/ADV-2009-2699 - VUPEN/ADV-2009-3177
Apple Mac OS X version 10.6.1 and prior
Apple Mac OS X version 10.5.8 and prior
Apple Mac OS X Server version 10.6.1 and prior
Apple Mac OS X Server version 10.5.8 and prior
Apply Mac OS X v10.6.2 Update :
http://support.apple.com/downloads/DL958/en_US/MacOSXUpd10.6.2.dmg
Apply Mac OS X Server v10.6.2 Update :
http://support.apple.com/downloads/DL960/en_US/MacOSXServerUpd10.6.2.dmg
Apply Mac OS X v10.6.2 Update (Combo) :
http://support.apple.com/downloads/DL959/en_US/MacOSXUpdCombo10.6.2.dmg
Apply Mac OS X Server v10.6.2 Update (Combo) :
http://support.apple.com/downloads/DL961/en_US/MacOSXServerUpdCombo10.6.2.dmg
Apply Apple Security Update 2009-006 for Mac OS X Server v10.5.8 :
http://support.apple.com/downloads/DL962/en_US/SecUpdSrvr2009-006.dmg
Apply Apple Security Update 2009-006 for Mac OS X v10.5.8 :
http://support.apple.com/downloads/DL963/en_US/SecUpd2009-006.dmg
http://www.vupen.com/english/advisories/2009/3184
http://support.apple.com/kb/HT3937
Vulnerabilities reported by Nicolas Joly (VUPEN Security), Tom Ferris (Adobe Secure Software Engineering Team), TippingPoint ZDI, Brian Mastenbrook, Nikita Zhuk and Petteri Kamppuri (MK&C), K. Chen (Georgia Institute of Technology), Regis Duchesne (VMware), Dan Kaminsky (IOACTIVE), Microsoft Vulnerability Research (MSVR), Rauli Kaksonen and Jukka Taimisto (CROSS project / Codenomicon Ltd), Alex Selivanov and Damian Put.
2009-11-10 : Initial release
If you have additional information or corrections for this security advisory please submit them via our contact form.
