Title: Apple Mac OS X Security Update 2005-006 Multiple Vulnerabilities
Severity: CRITICAL
Description:
Apple has released Security Update 2005-006 to address multiple Mac OS X local and remote vulnerabilities.
The following new vulnerabilities were addressed by the security update:
- A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. This issue is present in legacy client support for the Mac OS X AFP Server. Exploitation will likely permit remote code execution in the context of the server.
- A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. The impact of the issue is that a temporary ACL may be still be attached to a remote object after a remote copy operation. This will override POSIX file permissions on the file object. The ACL could deny access to the file. This could also have other security reprecussions, such as unauthorized access, though this has not been confirmed.
- A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. A malformed PDF document could cause a null pointer dereference when rendered by PDFKit or CoreGraphics.
- A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. Console users may gain superuser privileges by launching commands through the CoreGraphics Window Server.
- A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. The issue results from these folders having group- and world-writable permissions.
- A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). Local attackers could exploit this issue to change the ownership of files, which may in turn allow attackers to gain elevated privileges. This issue arises due to a race condition during the creation of temporary files. launchd executes with superuser privileges.
- A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. This issue is exposed when an addition to the unsafe file types database was made without a corresponding Apple UTI (Uniform Type Identifier). As a result, a database query on variations of the file extension/MIME type could cause an unsafe file type to be considered safe despite being listed in the unsafe file types database. This would only occur when unsafe file types are added to the database, the issue is not present with the default list.
- A vulnerability (CAN-2005-1728) in the MCX Client that may allow local attackers to gain access to Portable Home Directory credentials. This is due to insecure logging of credentials by the MCX Client.
- A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. The source of the problem is that -network and -mask filesystem settings may unintentionally export filesystems to "everyone". This is due to a failure to correctly set these parameters.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues.
Affected Products:
- Apple Mac OS X 10.3.9
- Apple Mac OS X 10.4.0
- Apple Mac OS X 10.4.1
- Apple Mac OS X Server 10.3.9
- Apple Mac OS X Server 10.4.0
- Apple Mac OS X Server 10.4.1
References:
- Apple: Mac OS X Home Page
- Apple: Security Updates
- Apple: Vendor Home Page
- CVE: CAN-2005-1720
- CVE: CAN-2005-1721
- CVE: CAN-2005-1722
- CVE: CAN-2005-1723
- CVE: CAN-2005-1724
- CVE: CAN-2005-1725
- CVE: CAN-2005-1726
- CVE: CAN-2005-1727
- CVE: CAN-2005-1728
- Suresec: Suresec security advisory 3
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
