• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Apple Mac OS X 2007-007 Multiple Security Vulnerabilities

Severity: CRITICAL

Description:

Apple Mac OS X is prone to multiple security vulnerabilities.

These issues affect Mac OS X and various applications, including CFNetwork, CoreAudio, iChat, mDNSResponder, PDFKit, Quartz Composer, Samba, and WebCore.

Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.

Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.

The following specific issues were reported:

- An unauthorized-access vulnerability affects CFNetwork. An attacker can exploit this issue by enticing victims into following a malicious URI, resulting in the execution of arbitrary FTP commands in the victim's FTP client. This issue is tracked by CVE-2007-2403.

- An HTTP-response-splitting vulnerability affects CFNetwork. An attacker may be able to exploit this issue to perform cross-site scripting attacks; other attacks are also possible. This issue is tracked by CVE-2007-2404. Steven Kramer of sprintteam.nl is credited with the discovery of this vulnerability.

- An arbitrary code-execution vulnerability affects the Java interface of CoreAudio and could permit an attacker to execute arbitrary code in the context of a victim visiting a webpage containing a maliciously crafted Java applet. This issue is tracked by CVE-2007-3745.

- A heap-based buffer-overflow issue affects the Java interface of CoreAudio and could permit an attacker to execute arbitrary code in the context of a victim visiting a webpage containing a maliciously crafted Java applet. This issue is tracked by CVE-2007-3746.

- An arbitrary code-execution vulnerability affects CoreAudio. This issue occurs because the Java interface of CoreAudio may allow the instantiation or manipulation of objects outside the bounds of the allocated heap. An attacker can exploit this issue by enticing a victim into visiting a webpage containing a maliciously crafted Java applet. This issue is tracked by CVE-2007-3747.

- A buffer-overflow vulnerability affects iChat. This issue occurs in the UPnP IGD code used to create Port Mappings on NAT gateways. An attacker can exploit this issue by sending a maliciously crafted packet to an unsuspecting user to execute arbitrary code or cause denial-of-service conditions. This issue is tracked by CVE-2007-3748.

- A remotely exploitable heap-overflow vulnerability affects mDNSResponder. This issue occurs in the UPnP IGD code used to create Port Mappings on NAT gateways. In particular, the Legacy NAT Traversal code is affected by a heap-overflow, which could be exploited to corrupt heap memory in a manner that allows an attacker to execute arbitrary code. An attacker can exploit this vulnerability with a malicious HTTP request. The service listens on a dynamic unicast UDP port. This issue is tracked by CVE-2007-3744. Versions prior to Mac OS X 10.4 are not vulnerable.

- An integer-underflow vulnerability affects PDFKit. An attacker can exploit this issue by enticing an unsuspecting victim into opening a malicious PDF file. This issue is tracked by CVE-2007-2405. Versions prior to Mac OS X 10.4 are not vulnerable.

- An arbitrary-code-execution vulnerability affects Quartz Composer. This issue is due to an uninitialized object pointer. Attackers can exploit it by enticing an unsuspecting victim into opening a malicious Quartz Composer file. This issue is tracked by CVE-2007-2406. Versions prior to Mac OS X 10.4 are not vulnerable.

- A security-bypass vulnerability affects Samba. This issue is due to how the service drops privileges and may allow an attacker to bypass file quotas. This issue is tracked by CVE-2007-2407. The discovery of this issue is credited to Mike Matz of Wyomissing Area School District.

- An HTML-injection vulnerability affects WebCore. The problem occurs when parsing comments inside an HTML title element. An attacker can exploit this issue to inject arbitrary HTML and script code to be executed in the browser of an unsuspecting victim. This issue is tracked by CVE-2007-0478.

- An information-disclosure vulnerability affects WebCore. A popup window can read the URL that is currently being viewed in the parent window. This may allow an attacker to obtain potentially sensitive information that may aid in further attacks. This issue is tracked by CVE-2007-2409; discovery is credited to Secunia Research.

- A cross-site scripting issue affects WebCore. This issue occurs in Safari when properties of certain global objects are not cleared prior to navigating to a new URL. This issue is tracked by CVE-2007-2410.

Affected Products:

• Apple Mac OS X 10.3.0
• Apple Mac OS X 10.3.1
• Apple Mac OS X 10.3.2
• Apple Mac OS X 10.3.3
• Apple Mac OS X 10.3.4
• Apple Mac OS X 10.3.5
• Apple Mac OS X 10.3.6
• Apple Mac OS X 10.3.7
• Apple Mac OS X 10.3.8
• Apple Mac OS X 10.3.9
• Apple Mac OS X 10.4.0
• Apple Mac OS X 10.4.1
• Apple Mac OS X 10.4.10
• Apple Mac OS X 10.4.2
• Apple Mac OS X 10.4.3
• Apple Mac OS X 10.4.4
• Apple Mac OS X 10.4.5
• Apple Mac OS X 10.4.6
• Apple Mac OS X 10.4.7
• Apple Mac OS X 10.4.8
• Apple Mac OS X 10.4.9
• Apple Mac OS X Server 10.3.0
• Apple Mac OS X Server 10.3.1
• Apple Mac OS X Server 10.3.2
• Apple Mac OS X Server 10.3.3
• Apple Mac OS X Server 10.3.4
• Apple Mac OS X Server 10.3.5
• Apple Mac OS X Server 10.3.6
• Apple Mac OS X Server 10.3.7
• Apple Mac OS X Server 10.3.8
• Apple Mac OS X Server 10.3.9
• Apple Mac OS X Server 10.4.0
• Apple Mac OS X Server 10.4.1
• Apple Mac OS X Server 10.4.10
• Apple Mac OS X Server 10.4.2
• Apple Mac OS X Server 10.4.3
• Apple Mac OS X Server 10.4.4
• Apple Mac OS X Server 10.4.5
• Apple Mac OS X Server 10.4.6
• Apple Mac OS X Server 10.4.7
• Apple Mac OS X Server 10.4.8
• Apple Mac OS X Server 10.4.9

References:

• Apple: Mac OS X Home Page
• CVE: CVE-2007-0478
• CVE: CVE-2007-2403
• CVE: CVE-2007-2404
• CVE: CVE-2007-2405
• CVE: CVE-2007-2406
• CVE: CVE-2007-2407
• CVE: CVE-2007-2409
• CVE: CVE-2007-2410
• CVE: CVE-2007-3744
• CVE: CVE-2007-3745
• CVE: CVE-2007-3746
• CVE: CVE-2007-3747
• CVE: CVE-2007-3748

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.