Multiple vulnerabilities have been identified in Apple Mac OS X, which could be exploited by remote or local attackers to execute arbitrary commands, cause a denial of service, disclose sensitive information, or bypass security restrictions.
The first issue is caused by an error in CFNetwork when processing FTP URIs, which could be exploited by attackers to cause a user's FTP client to issue arbitrary FTP commands to any accessible FTP server (using the credentials of the user) when following a specially crafted FTP URI.
The second vulnerability is caused by an input validation error in CFNetwork when processing HTTP responses, which could be exploited to conduct HTTP response splitting attacks.
The third issue is caused by a design error in the Java interface to CoreAudio (JDirect), which could be exploited by remote attackers to cause a vulnerable application to free arbitrary memory and execute arbitrary code by tricking a user into visiting a web page containing a malicious Java applet.
The fourth vulnerability is caused by a design error in the Java interface to CoreAudio (JDirect), which could be exploited by remote attackers to cause a vulnerable application to read or write out of the bounds of the allocated heap and execute arbitrary code by tricking a user into visiting a web page containing a malicious Java applet.
The fifth issue is caused by a design error in the Java interface to CoreAudio (JDirect), which could be exploited by remote attackers to cause a vulnerable application to manipulate objects outside the bounds of the allocated heap and execute arbitrary code by tricking a user into visiting a web page containing a malicious Java applet.
The sixth vulnerability is caused by a buffer overflow error in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in iChat, which could be exploited by attackers on the local network to crash an affected application or execute arbitrary code via specially crafted packets.
The seventh issue is caused by a buffer overflow error in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the Mac OS X implementation of mDNSResponder, which could be exploited by attackers on the local network to crash an affected application or execute arbitrary code via specially crafted packets.
The eighth vulnerability is caused by an integer overflow error in PDFKit when processing malformed PDF files, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a specially crafted PDF document.
The ninth issue is caused by an uninitialized object pointer in Quartz Composer, which could be exploited by attackers to crash an affected application or execute arbitrary code via a malicious file.
The tenth vulnerability is caused by an error in Samba when a server process drops its privileges, which could allow the quota enforcement to be bypassed and the file system quota to be exceeded.
The eleventh issue is caused by an error in the handling of the "Enable Java" preference within Safari, which could be exploited by attackers to load and run arbitrary applets even when Java is disabled.
The twelfth vulnerability is caused by an input validation error in WebCore when parsing comments inside an HTML title element, which could be exploited to conduct cross site scripting attacks.
The thirteenth issue is caused by a design error in WebCore allowing a popup window to read the URL that is currently being viewed in the parent window, which may lead to the disclosure of information via the URL contents.
The fourteenth vulnerability is caused by an error in Safari that does not properly clear properties of certain global objects when navigating to a new URL within the same window, which could be exploited to conduct cross site scripting attacks.
The fifteenth issue is caused by an error in WebKit when processing domain names containing Unicode characters, which could be exploited to masquerade a website and conduct spoofing attacks.
The sixteenth vulnerability is caused by a heap overflow error in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine, which could be exploited by remote attackers to execute arbitrary code by tricking a user into visiting a malicious web page.
Other vulnerabilities affecting bzip2, cscope, gnuzip, Kerberos, PHP, Samba, SquirrelMail, and Tomcat have also been addressed. For additional information, see : FrSIRT/ADV-2005-0460 - FrSIRT/ADV-2007-2337 - FrSIRT/ADV-2007-1269 - FrSIRT/ADV-2007-0791 - FrSIRT/ADV-2007-0974 - FrSIRT/ADV-2007-0960 - FrSIRT/ADV-2007-1805 - FrSIRT/ADV-2005-1887 - FrSIRT/ADV-2006-2101 - FrSIRT/ADV-2006-3271 - FrSIRT/ADV-2006-4828 - FrSIRT/ADV-2007-1748 - FrSIRT/ADV-2007-1729 - FrSIRT/ADV-2007-0975 - FrSIRT/ADV-2007-1941
Credits
Vulnerabilities reported by Steven Kramer (sprintteam.nl), Mike Matz (Wyomissing Area School District), Scott Wilde, Secunia Research, and Charlie Miller and Jake Honoroff (Independent Security Evaluators).
ChangeLog
2007-08-01 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
