Security-Protocols

APPLE-SA-2007-11-15 Mac OS X v10.5.1 Update

Mac OS X v10.5.1 Update is now available and addresses the following
issues:

Application Firewall
CVE-ID: CVE-2007-4702
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: The “Block all incoming connections” setting for the
firewall is misleading
Description: The “Block all incoming connections” setting for the
Application Firewall allows any process running as user “root” (UID
0) to receive incoming connections, and also allows mDNSResponder to
receive connections. This could result in the unexpected exposure of
network services. This update addresses the issue by more accurately
describing the option as “Allow only essential services”, and by
limiting the processes permitted to receive incoming connections
under this setting to a small fixed set of system services: configd
(for DHCP and other network configuration protocols), mDNSResponder
(for Bonjour), and racoon (for IPSec). The “Help” content for the
Application Firewall is also updated to provide further information.
This issue does not affect systems prior to Mac OS X v10.5.

Application Firewall
CVE-ID: CVE-2007-4703
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: Processes running as user “root” (UID 0) cannot be blocked
when the firewall is set to “Set access for specific services and
applications”
Description: The “Set access for specific services and applications”
setting for the Application Firewall allows any process running as
user “root” (UID 0) to receive incoming connections, even if its
executable is specifically added to the list of programs and its
entry in the list is marked as “Block incoming connections”. This
could result in the unexpected exposure of network services. This
update corrects the issue so that any executable so marked is
blocked. This issue does not affect systems prior to Mac OS X v10.5.

Application Firewall
CVE-ID: CVE-2007-4704
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: Changes to Application Firewall settings do not affect
processes started by launchd until they are restarted
Description: When the Application Firewall settings are changed, a
running process started by launchd will not be affected until it is
restarted. A user might expect changes to take effect immediately and
so leave their system exposed to network access. This update corrects
the issue so that changes take effect immediately. This issue does
not affect systems prior to Mac OS X v10.5.

http://docs.info.apple.com/article.html?artnum=61798

Within the first five minutes of fuzzing Publisher 2007, I found 5 different bugs.  Anyway, this one is only a DoS but the others I am still investigating.  Below is a link to the advisory:

Microsoft Office Publisher 2007 DoS

From the advisory:

An integer overflow vulnerability exists within ImageIO when processing a malformed .gif file. This allows for an attacker to cause the application to crash, and or to execute arbitrary code on the targeted host.

Below is a link to the advisory:

Apple OS X ImageIO “gifGetBandProc” Integer Overflow

Was bored over the weekend…  Below is an overview of the advisory:

“A denial of service (null pointer) vulnerability exists within WebKit which allows for an attacker to post a specially crafted .html page causing the application to crash. This is basiclly a follow up to another flaw which was reported by Yannick von Arx, that was fixed in the latest build of WebKit but was not fixed in Safari.”

Full advisory here: sp-x41-advisory

So Apple has finally released the 2006-007 (Bond Edition) security update which fixes 31 security vulnerabilities!  Twelve of the 22 fixes allow remote code execution. Anyway, I reported a bunch of different Safari flaws and it looks like only one of them got fixed this round.  Below are links to the advisories:

Apple OSX Safari 2.0.4 “WebTextRenderer” DoS
Apple OSX Safari 2.0.4 “RenderBlock::createLineBoxes” DoS
Apple OSX Safari 2.0.4 Out-of-Bounds Memory Read