TITLE:
Mac OS X Security Update Fixes Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA20077

VERIFY ADVISORY:
https://secunia.com/advisories/20077/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Exposure of sensitive information, DoS, System
access

WHERE:
>From remote

OPERATING SYSTEM:
Apple Macintosh OS X
https://secunia.com/product/96/

DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.

1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.

2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.

For more information:
SA19686

3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.

For more information:
SA19686

4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.

5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.

6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.

For more information:
SA19534

7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.

8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.

9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.

10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.

11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.

12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.

For more information:
SA17430
SA19218

13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.

14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.

15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.

16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.

For more information:
SA17907

17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.

18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.

19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.

20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.

21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.

22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.

23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.

24) An error in Ruby can be exploited to bypass safe level
restrictions.

For more information:
SA16904

25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.

SOLUTION:
Apply Security Update 2006-003.

Mac OS X 10.4.6 Client (PPC):
https://www.apple.com/support/downloads/securityupdate2006003macosx1046clientppc.html

Mac OS X 10.4.6 Client (Intel):
https://www.apple.com/support/downloads/securityupdate2006003macosx1046clientintel.html

Mac OS X 10.3.9 Client:
https://www.apple.com/support/downloads/securityupdate20060031039client.html

Mac OS X 10.4.6 Server:
https://www.apple.com/support/downloads/securityupdate20060031046server.html

Mac OS X 10.3.9 Server:
https://www.apple.com/support/downloads/securityupdate20060031039server.html

PROVIDED AND/OR DISCOVERED BY:
9) The vendor credits Damien Bobillot.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team

ORIGINAL ADVISORY:
Apple:
https://docs.info.apple.com/article.html?artnum=303737

OTHER REFERENCES:
SA19686:
https://secunia.com/advisories/19686/

SA19534:
https://secunia.com/advisories/19534/

SA17430:
https://secunia.com/advisories/17430/

SA19218:
https://secunia.com/advisories/19218/

SA17907:
https://secunia.com/advisories/17907/

SA16904:
https://secunia.com/advisories/16904/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
https://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
https://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------