// MacSecurity.net
2009 April 28 -- "iBotNet / iServices Trojan Horse"
- There's a trojan horse going around if you've downloaded
things from the depths of the torrentsphere... so, if you've been
clean about things, you don't have to worry...
2008 December 3 -- "A third variant of the RSPlug Trojan has appeared online..."
2008 November 24 -- "OSX.Lamzev.A (A.K.A. OSX.TrojanKit.Malez)"
2008 November 13 -- APPLE-SA-2008-11-13 Safari 3.2
Safari 3.2 is now available and addresses the following issues:
Safari
CVE-ID: CVE-2005-2096
Available for: Windows XP or Vista
Impact: Multiple vulnerabilities in zlib 1.2.2
Description: Multiple vulnerabilities exist in zlib 1.2.2, the most
serious of which may lead to a denial of service. This update
addresses the issues by updating to zlib 1.2.3. These issues do not
affect Mac OS X systems. Credit to Robbie Joosten of
bioinformatics@school, and David Gunnells of the University of
Alabama at Birmingham for reporting these issues.
Safari
CVE-ID: CVE-2008-1767
Available for: Windows XP or Vista
Impact: Processing an XML document may lead to an unexpected
application termination or arbitrary code execution
Description: A heap buffer overflow issue exists in the libxslt
library. Viewing a maliciously crafted HTML page may lead to an
unexpected application termination or arbitrary code execution.
Further information on the patch applied is available via
http://xmlsoft.org/XSLT/ This issue does not affect Mac OS X systems
that have applied Security Update 2008-007. Credit to Anthony de
Almeida Lopes of Outpost24 AB, and Chris Evans of the Google Security
Team for reporting this issue.
Safari
CVE-ID: CVE-2008-3623
Available for: Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in CoreGraphics' handling
of color spaces. Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit:
Apple.
Safari
CVE-ID: CVE-2008-2327
Available for: Windows XP or Vista
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple uninitialized memory access issues exist in
libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously
crafted TIFF image may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
proper memory initialization and additional validation of TIFF
images. This issue is addressed in systems running Mac OS X v10.5.5
or later, and in Mac OS X v10.4.11 systems that have applied Security
Update 2008-006. Credit: Apple.
Safari
CVE-ID: CVE-2008-2332
Available for: Windows XP or Vista
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exits in ImageIO's handling
of TIFF images. Viewing a maliciously crafted TIFF image may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved processing of TIFF
images. This issue is addressed in systems running Mac OS X v10.5.5
or later, and in Mac OS X v10.4.11 systems that have applied Security
Update 2008-006. Credit to Robert Swiecki of the Google Security Team
for reporting this issue.
Safari
CVE-ID: CVE-2008-3608
Available for: Windows XP or Vista
Impact: Viewing a large maliciously crafted JPEG image may lead to
an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in ImageIO's handling
of embedded ICC profiles in JPEG images. Viewing a large maliciously
crafted JPEG image may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
improved processing of ICC profiles. This issue is addressed in
systems running Mac OS X v10.5.5 or later, and in Mac OS X v10.4.11
systems that have applied Security Update 2008-006. Credit: Apple.
Safari
CVE-ID: CVE-2008-3642
Available for: Windows XP or Vista
Impact: Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of images with
an embedded ICC profile. Opening a maliciously crafted image with an
embedded ICC profile may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of ICC profiles in images.
This issue does not affect Mac OS X systems that have applied
Security Update 2008-007. Credit: Apple.
Safari
CVE-ID: CVE-2008-3644
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Sensitive information may be disclosed to a local console user
Description: Disabling autocomplete on a form field may not prevent
the data in the field from being stored in the browser page cache.
This may lead to the disclosure of sensitive information to a local
user. This update addresses the issue by properly clearing the form
data. Credit to an anonymous researcher for reporting this issue.
WebKit
CVE-ID: CVE-2008-2303
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue in Safari's handling of JavaScript
array indices may result in an out-of-bounds memory access. Visiting
a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of JavaScript array
indices. Credit to SkyLined of Google for reporting this issue.
WebKit
CVE-ID: CVE-2008-2317
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebCore's handling
of style sheet elements. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved garbage
collection. Credit to an anonymous researcher working with the
TippingPoint Zero Day Initiative for reporting this issue.
WebKit
CVE-ID: CVE-2008-4216
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: WebKit's plug-in interface does not block plug-ins from
launching local URLs. Visiting a maliciously crafted website may
allow a remote attacker to launch local files in Safari, which may
lead to the disclosure of sensitive information. This update
addresses the issue by restricting the types of URLs that may be
launched via the plug-in interface. Credit to Billy Rios of
Microsoft, and Nitesh Dhanjani of Ernst & Young for reporting this
issue.
2008 November 11 -- smcFanControl 2.1.2 Buffer Overflow Exploit & Fix
2008 November 10 -- APPLE-SA-2008-11-10 iLife Support 8.3.1
iLife Support 8.3.1 is now available and addresses the following security issues:
ImageIO
CVE-ID: CVE-2008-2327
Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple uninitialized memory access issues exist in
libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously
crafted TIFF image may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
proper memory initialization and additional validation of TIFF
images. These issues are already addressed in systems running Mac OS
X v10.5.5. Credit: Apple.
ImageIO
CVE-ID: CVE-2008-2332
Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exits in the handling of TIFF
images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved processing of TIFF
images. This issue is already addressed in systems running Mac OS X
v10.5.5. Credit to Robert Swiecki of Google Security Team for
reporting this issue.
ImageIO
CVE-ID: CVE-2008-3608
Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11
Impact: Viewing a large maliciously crafted JPEG image may lead to
an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in ImageIO's handling
of embedded ICC profiles in JPEG images. Viewing a large maliciously
crafted JPEG image may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
improved processing of ICC profiles. This issue is already addressed
in systems running Mac OS X v10.5.5. Credit: Apple.
2008 October 31 -- "OSX.RSPlug.A Trojan Horse"
2008 October 14 -- "Privacy issues with Flash cookies"
2008 October 10 -- "GPU acceleration for WPA cracking"
2008 September 16 -- "Potential code execution vulnerabilities in Illustrator CS2"
2008 August 18 -- "MobileMe and (lack of) encryption"
2008 August 8 -- "It's a Core Location access blacklist, not an 'iPhone
application deletion' list"- Daring Fireball - "It's a Core Location Blacklist"
From the article: "... the 'clbl' in the URL stands for 'Core Location
Blacklist', and that it does just that. It is not a blacklist for disabling
apps completely, but rather specifically for preventing any listed apps
from accessing Core Location — an API which, for obvious privacy
reasons, is covered by very strict rules in the iPhone SDK guidelines."
2008 August 6 -- "More ways to protect yourself from phishing scams"
2008 August 6 -- "iRK (iRootKit) presented at Black Hat 2008 by Jesse D'Aguanno"
- BlackHat 2008 - iRK: Crafting OS X Kernel Rootkits
"Jesse 'x30n' D'Aguanno gave a talk that built on previous rootkit research,
applying rootkit and kernel subversion techniques from the Windows, Linux,
and BSD worlds to Apple's OS X operating system as well as taking advantage
of some of the unique features of OS X. It will detail topics such as:
Introducing code into the XNU kernel (Basic KEXT development), Hooking,
Direct Kernel Object Manipulation, Patching Running Kernel Memory, etc.
It will cover some of the pitfalls encountered while developing rootkits for
OS X and how to overcome them."
- Security Monkey's blog - BlackHat 2008 LiveBlog: Day 1 (Scroll down for
notes on Jesse's talk.)
- InternetNews Blog - Black Hats hack Macs (2008 August 7)
2008 July 31 -- Security Update 2008-005
- Products Affected: Mac OS X Server 10.4, Security, Mac OS X 10.4.11,
Mac OS X Server 10.5, Mac OS X 10.5.4
- Security Update 2008-005 addresses the following issues:
Open Scripting Architecture
CVE-ID: CVE-2008-2830
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: A local user may execute commands with elevated privileges
Description: A design issue exists in the Open Scripting Architecture
libraries when determining whether to load scripting addition plugins
into applications running with elevated privileges. Sending scripting
addition commands to a privileged application may allow the execution
of arbitrary code with those privileges. This update addresses the
issue by not loading scripting addition plugins into applications
running with system privileges. The recently reported ARDAgent and
SecurityAgent issues are addressed by this update. Credit to Charles
Srstka for reporting this issue.
BIND
CVE-ID: CVE-2008-1447
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: BIND is susceptible to DNS cache poisoning and may return
forged information
Description: The Berkeley Internet Name Domain (BIND) server is
distributed with Mac OS X, and is not enabled by default. When enabled,
the BIND server provides translation between host names and IP
addresses. A weakness in the DNS protocol may allow remote attackers to
perform DNS cache poisoning attacks. As a result, systems that rely on
the BIND server for DNS may receive forged information. This update
addresses the issue by implementing source port randomization to
improve resilience against cache poisoning attacks. For Mac OS X
v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X
v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan
Kaminsky of IOActive for reporting this issue.
CarbonCore
CVE-ID: CVE-2008-2320
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Processing long filenames may lead to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of long
filenames. Processing long filenames may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue through improved bounds checking. Credit to Thomas
Raffetseder of the International Secure Systems Lab and Sergio
'shadown' Alvarez of n.runs AG for reporting this issue.
CoreGraphics
CVE-ID: CVE-2008-2321
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: CoreGraphics contains memory corruption issues in the
processing of arguments. Passing untrusted input to CoreGraphics via an
application, such as a web browser, may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue through improved bounds checking. Credit to Michal
Zalewski of Google for reporting this issue.
CoreGraphics
CVE-ID: CVE-2008-2322
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow in the handling of PDF files may result
in a heap buffer overflow. Viewing a maliciously crafted PDF file may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through additional
validation of PDF files. Credit to Pariente Kobi working with the
iDefense VCP for reporting this issue.
Data Detectors Engine
CVE-ID: CVE-2008-2323
Available for: Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Viewing maliciously crafted messages with Data Detectors may
lead to an unexpected application termination.
Description: Data Detectors are used to extract reference information
from textual content or archives. A resource consumption issue exists
in Data Detectors' handling of textual content. Viewing maliciously
crafted content in an application that uses Data Detectors may lead to
a denial of service, but not arbitrary code execution. This issue does
not affect systems prior to Mac OS X v10.5.
Disk Utility
CVE-ID: CVE-2008-2324
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local user may obtain system privileges
Description: The "Repair Permissions" tool in Disk Utility makes
/usr/bin/emacs setuid. After the Repair Permissions tool has been run,
a local user may use emacs to run commands with system privileges. This
update addresses the issue by correcting the permissions applied to
emacs in the Repair Permissions tool. This issue does not affect
systems running Mac OS X v10.5 and later. Credit to Anton Rang and
Brian Timares for reporting this issue.
OpenLDAP
CVE-ID: CVE-2008-2952
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: A remote attacker may be able to cause an unexpected
application termination.
Description: An issue exists in OpenLDAP's ASN.1 BER decoding. Processing
a maliciously crafted LDAP message may trigger an assertion and lead to
an unexpected application termination of the OpenLDAP daemon, slapd.
This update addresses the issue by performing additional validation of
LDAP messages.
OpenSSL
CVE-ID: CVE-2007-5135
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: A remote attacker may be able to cause an unexpected
application termination or arbitrary code execution.
Description: A range checking issue exists in the
SSL_get_shared_ciphers() utility function within OpenSSL. In an
application using this function, processing maliciously crafted packets
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking.
PHP
CVE-ID: CVE-2008-2051, CVE-2008-2050, CVE-2007-4850,
CVE-2008-0599, CVE-2008-0674
Available for: Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Multiple vulnerabilities in PHP 5.2.5
Description: PHP is updated to version 5.2.6 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the PHP website at
http://www.php.net/ PHP version 5.2.x is only provided with Mac OS X
v10.5 systems.
QuickLook
CVE-ID: CVE-2008-2325
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Downloading a maliciously crafted Microsoft Office file may lead
to an unexpected application termination or arbitrary code execution.
Description: Multiple memory corruption issues exist in QuickLook's
handling of Microsoft Office files. Downloading a maliciously crafted
Microsoft Office file may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
improved bounds checking. This issue does not affect systems prior to
Mac OS X v10.5.
rsync
CVE-ID: CVE-2007-6199, CVE-2007-6200
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Files outside the module root may be accessed or
overwritten remotely.
Description: Path validation issues exist in rsync's handling of symbolic
links when running in daemon mode. Placing symbolic links in an rsync
module may allow files outside of the module root to be accessed or
overwritten. This update addresses the issue through improved handling
of symbolic links. Further information on the patches applied is
available via the rsync web site at http://rsync.samba.org/
2008 July 22 -- "Mac virus for sale?"
2008 July 8 -- "Apple fails to patch critical exploited DNS flaw"
[restoration from archives... pending...]
