Massive Security Update for Mac OS X Explained

Apple recommends this update for all Mac OS X users to improve security of their system. To get the update, simply go to the Software Update pane in System Preferences, or visit Apple’s Software Downloads page. APPLE-SA-2008-03-18 Security Update 2008-002  contains more than 40 specific fixes for versions of Mac OS X.

Here is a quick explanation of the latest updates:

AFP Client - afp:// URL (CVE-2007-4680)
A remote attacker may be able to cause a certificate to appear trusted. Multiple stack buffer overflow issues exist in AFP Client’s handling of afp:// URLs. By enticing a user to connect to a malicious AFP Server, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking.

AFP Server - Cross-realm authentication (CVE-2008-0045)
Apple says: “An implementation issue exists in AFP Server’s check of Kerberos principal realm names. This may allow unauthorized connections to the server, when cross-realm authentication with AFP Server is used. This update addresses the issue by through improved checks of Kerberos principal realm names.” This update addresses the issue by through improved checks of Kerberos principal realm names.

Apache - 1 (CVE-2005-3352, CVE-2006-3747, CVE-2007-3847, CVE-2007-5000, CVE-2007-6388)
Apache is updated to version 1.3.41 to address several vulnerabilities, the most serious of which may lead to arbitrary code
execution.

Apache - 2 (CVE-2007-5000, CVE-2007-6203, CVE-2007-6388, CVE-2007-6421, CVE-2008-0005)
Apache is updated to version 2.2.8 to address several vulnerabilities, the most serious of which may lead to cross-site scripting.

AppKit - NSDocument API (CVE-2008-0048)
A stack buffer overflow exists in the NSDocument API’s handling of file names, but on most file systems, this issue is not exploitable. This update addresses the issue through improved bounds checking.

AppKit - NSApplication (CVE-2008-0049)
By sending maliciously crafted messages to privileged applications in the same bootstrap namespace, a local user may cause arbitrary code execution with the privileges of the target application. This update addresses the issue by removing the mach port in question and using another method to synchronize.

AppKit - Multiple integer overflow (CVE-2008-0057)
By causing a maliciously formatted serialized property list to be parsed, an attacker could trigger a heap-based buffer overflow which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of serialized input.

AppKit - network printer (CVE-2008-099)
By enticing a user to query a network printer, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of PPD files.

Application Firewall [German] (CVE-2008-0046)
This update addresses the issue by changing the German text to semantically match the English text.

CFNetwork (CVE-2008-0050)
Apple says “a malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error. A malicious proxy server could use this to spoof secure websites. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data.”

ClamAV - 1 (CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318, CVE-2008-0728)
This update addresses the multiple vulnerabilities in ClamAV 0.90.3 which exist with Mac OS X Server v10.5 systems by updating to ClamAV 0.92.1.

ClamAV - 2 (CVE-2006-6481, CVE-2007-1745, CVE-2007-1997, CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-0897, CVE-2007-0898, CVE-2008-0318, CVE-2008-0728)
This update addresses the multiple vulnerabilities in ClamAV 0.88.5 by updating to ClamAV 0.92.1.

CoreServices (CVE-2008-0052)
Files with names ending in “.ief” can be automatically opened in AppleWorks if Safari’s “Open ‘Safe’ files” preference is enabled. This is not the intended behavior and could lead to security policy violations. This update addresses the issue by removing “.ief” from the list of safe file types.

CUPS (CVE-2008-0596)
By sending a large number of requests to add and remove shared printers, an attacker may be able to cause a denial of service. This update addresses the issue through improved memory management.

CUPS (CVE-2008-0047)
If printer sharing is enabled, a remote attacker may be able to cause an unexpected application termination or arbitrary code execution with system privileges. If printer sharing is not enabled, a local user may be able to gain system privileges. This update addresses the issue by performing additional bounds checking.

CUPS (CVE-2008-0882)
Multiple input validation issues exist in CUPS, the most serious of which may lead to arbitrary code execution with system privileges. This update addresses the issues by updating to CUPS 1.3.6.

curl (CVE-2005-4077)
A one byte buffer overflow exists in curl 7.13.1.  This update addresses the issue by updating curl to version 7.16.3.

Emacs (CVE-2007-6109)
By exploiting vulnerable Emacs Lisp which allows an attacker to provide a format string containing a large precision value, an attacker may cause an unexpected application termination or possibly arbitrary code execution.

Emacs (CVE-2007-5795)
A logic error in Emacs’ hack-local-variable function allows any local variable to be set, even if ‘enable-local-variables’ is set to :safe. By enticing a user to load a file containing a maliciously crafted local variables declaration, a local user may cause an unauthorized modification of Emacs Lisp variables leading to arbitrary code execution. This issue has been fixed through improved :safe mode checks.

file (CVE-2008-1004)
Affected users may find that requesting to unblock a website leads to information disclosure. This update addresses the issue through improved bounds checking.

Foundation - 1 (CVE-2008-0054)
An input validation issue exists in the NSSelectorFromString API. Passing it a malformed selector name may result in the return of an unexpected selector, which could lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation on the selector name.

Foundation - 2 (CVE-2008-0055)
when performing a recursive file copying operation, NSFileManager creates directories as world-writable, and only later restricts the permissions. This may lead to a privilege escalation to that of the application using the API. This update addresses the issue by creating directories with restrictive permissions.

Foundation - 3 (CVE-2008-0056)
A long pathname with an unexpected structure can expose a stack buffer overflow vulnerability in NSFileManager. This update addresses the issue by ensuring a properly sized destination buffer. This update addresses the issue by ensuring a properly sized destination buffer.

Foundation - 4 (CVE-2008-0058)
A thread race condition exists in NSURLConnection’s cache management, which can cause a deallocated object to receive messages. Triggering this issue may lead to a denial of service, or arbitrary code execution with the privileges of Safari or another program using NSURLConnection. This update addresses the issue by removing an unsynchronized caching operation.

Foundation - 5 (CVE-2008-0059)
By enticing a user to process an XML file in an application which uses NSXML, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improvements to the error handling logic of NSXML.

Help Viewer (CVE-2008-0060)
A malicious help:topic_list URL may insert arbitrary HTML or JavaScript into the generated topic list page, which may redirect to a Help Viewer help:runscript link that runs Applescript. This update addresses the issue by performing HTML escaping on the URL data used in help topic lists before building the generated page.

Image Raw (CVE-2008-0987) A stack based buffer overflow exists in the handling of Adobe Digital Negative (DNG) image files. This update addresses the issue through improved validation of DNG image files.

Kerberos (CVE-2007-5901, CVE-2007-5971, CVE-2008-0062, and CVE-2008-0063)
Multiple memory corruption issues exist in MIT Kerberos 5, which may lead to an unexpected application termination or arbitrary code execution with system privileges.

libc (CVE-2008-0988)
An off by one issue exists in Libsystem’s strnstr(3) implementation. Applications that use the strnstr API can read one byte beyond the limit specified by the user, which may lead to an unexpected application termination. This update addresses the issue through improved bounds checking.

mDNSResponder (CVE-2008-0989)
Apple says “a format string issue exists in mDNSResponderHelper. By setting the local hostname to a maliciously crafted string, a local user could cause a denial of service or arbitrary code execution with the privileges of mDNSResponderHelper. This update addresses the issue by using a static format string.”

notifyd (CVE-2008-0990)
Notably, notifyd accepts Mach port death notifications without verifying that they come from the kernel. If a local user sends fake Mach port death notifications to notifyd, applications that use the notify(3) API to register for notifications may never receive the notifications. This update addresses the issue by only accepting Mach port death notifications from the kernel.

OpenSSH (CVE-2007-4752)
OpenSSH forwards a trusted X11 cookie when it cannot create an untrusted one. This may allow a remote attacker to gain elevated privileges. This update addresses the issue by updating OpenSSH to version 4.7.

pax archive utility (CVE-2008-0992)
The pax command line tool does not check a length in its input before using it as an array index, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by checking the index.

PHP (CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-4887)
PHP is updated to version 5.2.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution .

PHP (CVE-2007-3378 and CVE-2007-3799)
PHP is updated to version 4.4.8 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.

Podcast Producer (CVE-2008-0993)
The Podcast Capture application provides passwords to a subtask through the arguments, potentially exposing the passwords to other local users. This update corrects the issue by providing passwords to the subtask through a pipe.

Preview (CVE-2008-099)
When Preview saves a PDF file with encryption, it uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4.

Printing (CVE-2008-0995)
Printing to a PDF file and setting an ‘open’ password uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4.

Printing (CVE-2008-0996)
An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk.

System Configuration (CVE-2008-0998)
The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine. By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program. This update addresses the issue by performing additional validation of distributed objects.

UDF (CVE-2008-0999)
A null pointer dereference issue exists in the handling of Universal Disc Format (UDF) file systems. By enticing a user to open a maliciously crafted disk image, an attacker may cause an unexpected system shutdown. This update addresses the issue through improved validation of UDF file systems.

X11 (CVE-2008-1000)
A path traversal issue exists in the Mac OS X v10.5 Server Wiki Server. Attackers with access to edit wiki content may upload files that leverage this issue to place content wherever the wiki server can write, which may lead to arbitrary code execution with the privileges of the wiki server. This update addresses the issue through improved file name handling.

X11 (CVE-2007-4568 and CVE-2007-4990)
Multiple vulnerabilities exist in X11 X Font Server (XFS) 1.0.4, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5.

X11 (CVE-2006-3334, CVE-2006-5793, CVE-2007-2445, CVE-2007-5266, CVE-2007-5267, CVE-2007-5268, and CVE-2007-5269)
The PNG reference library (libpng) is updated to version 1.2.24 tp address several vulnerabilities, the most serious of which may lead to a remote denial of service or arbitrary code execution.

X11 (CVE-2007-5958, CVE-2008-0006, CVE-2007-6427, CVE-2007-6428, and CVE-2007-6429)
Numerous vulnerabilities in the X11 server allow execution of arbitrary code with the privileges of the user running the X11 server if the attacker can authenticate to the X11 server. This is a security vulnerability only if the X11 server is configured to not require authentication, which Apple does not recommend. This update fixes the issue by applying the updated X.Org patches.