Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-204: Apple Mac OS X 2009-003 Multiple Security Vulnerabilities

August 6, 2009 21:00 GMT
PROBLEM: Apple Mac OS X Code Execution and Security Bypass Vulnerabilities
PLATFORM: Mac OS X version 10.4.11 and prior Mac OS X Server version 10.4.11 and prior Mac OS X versions 10.5 through 10.5.7 Mac OS X Server versions 10.5 through 10.5.7
ABSTRACT: Multiple vulnerabilities have been identified in Apple Mac OS X, which could be exploited by remote or local attackers to disclose sensitive information, bypass security restrictions, cause a denial of service or compromise an affected system. These issues are caused by out-of-bounds memory access issues, input validation errors, buffer overflows, uninitialized memory access issues, integer overflows, uninitialized pointers, implementation issues, format string errors, and logic and synchronization issues in bzip2, CFNetwork, ColorSync, CoreTypes, Dock, Image RAW, ImageIO, Kernel, launchd, Login Window, MobileMe, Networking, and XQuery.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-204.shtml
  OTHER LINKS: Apple
http://support.apple.com/kb/HT3757
Security Focus
http://www.securityfocus.com/bid/35954/info
US-Cert
http://www.us-cert.gov/current/index.html#apple_releases_mac_os_x1

  CVE: CVE-2009-0151
CVE-2009-1372
CVE-2009-1720
CVE-2009-1721
CVE-2009-1723
CVE-2009-1726
CVE-2009-1727
CVE-2009-1728
CVE-2009-2188
CVE-2009-2190
CVE-2009-2191
CVE-2009-2192
CVE-2009-2193
CVE-2009-2194
IMPACT ASSESSMENT: This risk is high. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, bypass security mechanisms, operate with escalated privileges, or obtain sensitive information. 
Discussion:
bzip2: (CVE-2008-1372)
Description: An out-of-bounds memory access exists in bzip2. Opening a maliciously crafted compressed file may lead to an unexpected application termination. This update addresses the issue by updating bzip2 to version 1.0.5. Further information is available via the bzip2 web site at http://bzip.org/ 

CFNetwork: (CVE-2009-1723)
Description: When Safari reaches a website via a 302 redirection and a certificate warning is displayed, the warning will contain the original website URL instead of the current website URL. This may allow a maliciously crafted website that is reached via an open redirector on a user-trusted website to control the displayed website URL in a certificate warning. This issue was addressed by returning the correct URL in the underlying CFNetwork layer. This issue does not affect systems prior to Mac OS X v10.5. 

ColorSync: (CVE-2009-1726)
Description: A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ColorSync profiles.

CoreTypes: (CVE-2009-1727)
Description: This update extends the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious JavaScript payload. This update improves the system's ability to notify users before handling content types used by Safari. Credit to Brian Mastenbrook, and Clint Ruoho of Laconic Security for reporting this issue.

Dock:  (CVE-2009-0151)
Description: The screen saver does not block four-finger Multi-Touch gestures, which may allow a person with physical access to a locked system to manage applications or use Expose. This update addresses the issue by properly blocking Multi-Touch gestures when the screen saver is running. This issue only affects systems with a Multi-Touch trackpad.

Image RAW: (CVE-2009-1728)
Description: A stack buffer overflow exists in the handling of Canon RAW images. Viewing a maliciously crafted Canon RAW image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. For Mac OS X v10.4 systems, this issue is already addressed with Digital Camera RAW Compatibility Update 2.6. 

ImageIO: (CVE-2009-1722-1720,  CVE-2009-2188, CVE-2009-0040)
Description: A heap buffer overflow exists in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by updating OpenEXR to version 1.6.1. 

Kernel: (CVE-2009-1235)
Description: An implementation issue exists in the kernel's handling of fcntl system calls. A local user may overwrite kernel memory and execute arbitrary code with system privileges. This update addresses the issue through improved handling of fcntl system calls. Credit to Razvan Musaloiu-E. of Johns Hopkins University, HiNRG for reporting this issue.
 
Launchd: (CVE-2009-2190)
Description: Opening many connections to an inetd-based launchd service may cause launchd to stop servicing incoming connections to that service until the next system restart. This update addresses the issue through improved error handling.

Login Window: (CVE-2009-2191)
Description: A format string issue in Login Window's handling of application names may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of application names.
 
MobileMe: (CVE-2009-2192 )
Description: A logic issue exists in the MobileMe preference pane. Signing out of the preference pane does not delete all credentials. A person with access to the local user account may continue to access any other system associated with the MobileMe account which had previously been signed in for that local account. This update addresses the issue by deleting all the credentials on sign out.

Networking: (CVE-2009-2194)
Description: A synchronization issue exists in the handling of file descriptor sharing over local sockets. By sending messages containing file descriptors to a socket with no receiver, a local user may cause an unexpected system shutdown. This update addresses the issue through improved handling of file descriptor sharing. 

XQuery: CVE-2008-0674
Description: A buffer overflow exists in the handling of character classes in regular expressions in the Perl Compatible Regular Expressions (PCRE) library used by XQuery. This may allow a remote attacker to execute arbitrary code via a regular expression containing a character class with a large number of characters with Unicode code points greater than 255. This update addresses the issue by updating PCRE to version 7.6.

Solution:
Apply Apple Security Update 2009-003:
http://www.apple.com/support/downloads/
http://www.securityfocus.com/bid/35954/solution
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788