Culture

Apple releases two dozen patches for Mac OS X, one for iPhone

Apple cleans house in advance of annual Black Hat security conference.

Robert Vamosi Former Editor

As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

See full bio

Robert Vamosi

Aug. 1, 2007 12:14 a.m. PT

10 min read

In what appears to be a monthly patch cycle, Apple today released Security Update 2007-007. This update affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9 and fixes fifty vulnerabilities with half as many patches. It appears Apple is clearing house in advance of the annual Black Hat security conference; the iPhone vulnerability was reported by one of Black Hat's scheduled speakers, Charlie Miller. This update is available from within Mac OS X via the Software Update pane in System Preferences, or from Apple's Software Download.

Patch for bzip2
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2005-0758. Successful execution could result in arbitrary code execution. By enticing a user into running bzgrep on a file with a maliciously crafted name, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue through improved handling of file names.

Patch for CFNetwork
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-2403. Successful execution may cause arbitrary FTP commands to be issued. By enticing a user to follow a maliciously crafted FTP URI, an attacker can cause the user's FTP client to issue arbitrary FTP commands to any accessible FTP server, using the credentials of the user. This update addresses the issue by performing additional validation of FTP URIs.

Patch for CFNetwork II
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-2401. Successful execution could result in HTTP requests being vulnerable to a response splitting attack. An HTTP response splitting vulnerability exists in CFNetwork. By sending a maliciously crafted HTTP response to a user's HTTP request, an attacker may alter the user's consecutive responses, which could lead to cross-site scripting. This update addresses the issue through improved parsing of HTTP responses. Apple credits Steven Kramer of sprintteam.nl for reporting this vulnerability.

Patch for CoreAudio JDirect
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later and addresses the vulnerability in CVE-2007-3745. Successful execution may lead to arbitrary code execution. A design issue exists in the Java interface to CoreAudio. JDirect exposes an interface that may allow freeing arbitrary memory. By enticing a user to visit a Web page containing a maliciously crafted Java applet, an attacker can trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional security checks in the Java interface to CoreAudio.

Patch for CoreAudio Java
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-3746. Successful execution may lead to arbitrary code execution. An issue exists in the Java interface to CoreAudio, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a Web page containing a maliciously crafted Java applet, an attacker can trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional bounds checking.

Patch for CoreAudio
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later and addresses the vulnerability in CVE-2007-3747. Successful execution may lead to arbitrary code execution. An issue exists in the Java interface to CoreAudio, which may allow instantiation or manipulation of objects outside the bounds of the allocated heap. By enticing a user to visit a Web page containing a maliciously crafted Java applet, an attacker can trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional security checks in the Java interface to CoreAudio.

Patch for cscope
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerabilities in CVE-2004-0996 and CVE-2004-2541. Cscope is updated to version 15.6 to address several vulnerabilities, the most serious of which are buffer overflow and insecure temporary file creation vulnerabilities.

Patch for gnuzip
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-0758. Successful execution may lead to arbitrary code execution. A file-name handling issue exists in zgrep. By enticing a user into running zgrep on a file with a maliciously crafted name, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by through improved file names handling.

Patch for iChat
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-3748. Successful execution may lead to arbitrary code execution. A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in iChat. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets in iChat.

Patch for Kerberos
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later and addresses the vulnerabilities in CVE-2007-2442, CVE-2007-2443, and CVE-2007-2798. Multiple vulnerabilities exists in the MIT Kerberos administration daemon (kadmind), which may lead to an unexpected application termination or arbitrary code execution with system privileges. Apple credits the MIT Kerberos Team for reporting these issues, which were originally discovered by Wei Wang of McAfee Avert Labs.

Patch for mDNSResponder
This patch affects users of Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-3744. Successful execution may lead to arbitrary code execution. A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the Mac OS X implementation of mDNSResponder. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by removing UPnP IGD support. This issue does not affect systems prior to Mac OS X v10.4.

Patch for PDFKit
This patch affects users of Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-2405. Successful execution may lead to arbitrary code execution. An integer underflow exists in Preview's handling of PDF files. By enticing a user to open a maliciously crafted PDF file, an attacker may trigger the issue, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PDF files. This issue does not affect systems prior to Mac OS X v10.4.

Patch for PHP
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later and addresses the vulnerability in CVE-2007-1001, CVE-2007-1287, CVE-2007-1460, CVE-2007-1461, CVE-2007-1484, CVE-2007-1521, CVE-2007-1583, CVE-2007-1711, and CVE-2007-1717. PHP is updated to version 4.4.7 to address several vulnerabilities.

Patch for Quartz Composer
This patch affects users of Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-2406. Successful execution may lead to an unexpected application termination or arbitrary code execution. An uninitialized object pointer vulnerability exists in the handling of Quartz Composer files. By enticing a user to view a maliciously crafted Quartz Composer file, an attacker may trigger the issue, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing proper initialization of object pointers. This issue does not affect systems prior to Mac OS X v10.4.

Patch for Samba
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-2446. Successful execution may lead to arbitrary code execution. Multiple heap buffer overflows exist in the Samba daemon. By sending maliciously crafted MS-RPC requests, a remote attacker can trigger the overflow, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of MS-RPC requests.

Patch for Samba MS-RPC
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-2399. Successful execution may lead to the execution of arbitrary shell commands. A command injection vulnerability exists in the Samba daemon. By sending maliciously crafted MS-RPC requests, a remote attacker can trigger the command injection. This update addresses the issue by performing additional validation of MS-RPC requests. This issue does not affect the default Samba configuration.

Patch for Samba
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-2407. An issue exists in Samba when a server process drops its privileges. This could allow the quota enforcement to be bypassed, and the file system quota to be exceeded. This update addresses the issue by properly dropping privileges. Apple credits Mike Matz of Wyomissing Area School District for reporting this vulnerability.

Patch for SquirrelMail
This patch affects users of Mac OS X Server v10.3.9, Mac OS X Server v10.4.10 and addresses the vulnerabilities in CVE-2005-3128, CVE-2006-2842, CVE-2006-3174, CVE-2006-4019, CVE-2006-6142, CVE-2007-1262, and CVE-2007-2589. SquirrelMail is updated to version 1.4.10 to address several vulnerabilities, the most serious of which is cross-site scripting triggered by viewing HTML mail.

Patch for Tomcat
This patch affects users of Mac OS X Server v10.4.10 and addresses the vulnerabilities in CVE-2005-2090, CVE-2007-0450, CVE-2007-1358, and CVE-2007-1860. Tomcat is updated to version 4.1.36 to address several vulnerabilities, the most serious of which are cross-site scripting and information disclosure. Further information is available via the Tomcat site. These issues do not affect systems prior to Mac OS X v10.4.

Patch for Webkit
This patch affects users of Mac OS X v10.4.9 or later, Windows XP or Vista and addresses the vulnerability in CVE-2007-3743. Safari provides an "Enable Java" preference, which when unchecked should prevent the loading of Java applets. By default, Java applets are allowed to be loaded. Navigating to a maliciously crafted Web page may allow a Java applet to be loaded without checking the preference. Successful execution would involve visiting a malicious website that allows Java applets to load and run even when Java is disabled. Apple credits Rhys Kidd and Scott Wilde for reporting this vulnerability.

Patch for WebCore
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-0478. Successful execution may lead to cross-site scripting attacks. An issue exists in WebCore when parsing comments inside an HTML title element. This can allow an attacker to insert scripts into a Web page on sites, which allow the page owner to enter HTML, but not scripts. This update addresses the issue by correctly parsing comments in title elements.

Patch for WebCore II
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10and addresses the vulnerability in CVE-2007-2409. Successful execution could lead to cross-site scripting. A design issue in WebCore allows a pop-up window to read the URL that is currently being viewed in the parent window. By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue, which may lead to the disclosure of information via the URL contents. This update addresses the issue through an improved cross-domain security check. Credit to Secunia Research for reporting this issue.

Patch for WebCore III
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 and addresses the vulnerability in CVE-2007-2410. Successful execution could lead to cross-site scripting. In Safari, properties of certain global objects are not cleared when navigating to a new URL within the same window. By enticing a user to visit a maliciously crafted Web page, an attacker may trigger the issue, which may lead to cross-site scripting. This update addresses the issue by properly clearing global objects.

Patch for Webkit: International Domain Name (IDN)
This patch affects users of Mac OS X v10.4.9 or later, Windows XP, and Windows Vista, and addresses the vulnerability in CVE-2007-3742. The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL that contains look-alike characters. These could be used in a malicious Web site to direct the user to a spoofed site that visually appears to be a legitimate domain. Successful execution could allow a malicious user to post look-alike characters in a URL to masquerade a Web site. Apple credits Tomohito Yoshino of Business Architects for reporting this vulnerability.

Patch for WebKit: Perl Compatible Regular Expressions (PCRE) library
This patch affects users of Mac OS X v10.4.9 or later, Windows XP, and Windows Vista, and addresses the vulnerability in CVE-2007-3944. A memory corruption issue exists with invalid type conversion when rendering frame sets. Visiting a maliciously crafted Web site could allow a denial-of-service (crash) or arbitrary code execution. Apple credits Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these vulnerabilities.