Mac Users

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • jimmyf
    OU812
    • Feb 2001
    • 12651

    #1

    Mac Users

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Technical Cyber Security Alert TA05-136A
    Apple Mac OS X is affected by multiple vulnerabilities

    Original release date: May 16, 2005
    Last revised: --
    Source: US-CERT

    Systems Affected

    Mac OS X version 10.3.9 (Panther) and Mac OS X Server version 10.3.9

    Overview

    Apple has released Security Update 2005-005 to address multiple
    vulnerabilities affecting Mac OS X and Mac OS X Server. The most
    serious of these vulnerabilities may allow a remote attacker to
    execute arbitrary code. Impacts of other vulnerabilities addressed by
    the update include disclosure of information and denial of service.

    I. Description

    Apple Security Update 2005-005 resolves a number of vulnerabilities
    affecting Mac OS X and OS X Server. Further details are available in
    the following Vulnerability Notes:

    VU#356070 - Apple Terminal fails to properly sanitize input for
    x-man-page URI

    Apple Terminal on Mac OS X fails to sanitize x-man-page URIs, allowing
    a remote attacker to execute arbitrary commands.
    (CAN-2005-1342)

    VU#882750 - libXpm image library vulnerable to buffer overflow

    libXpm image parsing code contains a buffer-overflow vulnerability
    that may allow a remote attacker execute arbitrary code or cause a
    denial-of-service condition.
    (CAN-2004-0687)

    VU#125598 - LibTIFF vulnerable to integer overflow via corrupted
    directory entry count

    An integer overflow in LibTIFF may allow a remote attacker to execute
    arbitrary code.
    (CAN-2004-1308)

    VU#539110 - LibTIFF vulnerable to integer overflow in the
    TIFFFetchStrip() routine

    An integer overflow in LibTIFF may allow a remote attacker to execute
    arbitrary code.
    (CAN-2004-1307)

    VU#537878 - libXpm library contains multiple integer overflow
    vulnerabilities

    libXpm contains multiple integer-overflow vulnerabilities that may
    allow a remote attacker execute arbitrary code or cause a
    denial-of-service condition.
    (CAN-2004-0688)

    VU#331694 - Apple Mac OS X chpass/chfn/chsh utilities do not properly
    validate external programs

    Mac OS X Directory Service utilities do not properly validate code
    paths to external programs, potentially allowing a local attacker to
    execute arbitrary code.
    (CAN-2004-1335)

    VU#582934 - Apple Mac OS X Foundation framework vulnerable to buffer
    overflow via incorrect handling of an environmental variable

    A buffer overflow in Mac OS X's Foundation Framework's processing of
    environment variables may lead to elevated privileges.
    (CAN-2004-1336)

    VU#706838 - Apple Mac OS X vulnerable to buffer overflow via vpnd
    daemon

    Apple Mac OS X contains a buffer overflow in vpnd that could allow a
    local, authenticated attacker to execute arbitrary code with root
    privileges.
    (CAN-2004-1343)

    VU#258390 - Apple Mac OS X with Bluetooth enabled may allow file
    exchange without prompting users

    Apple Mac OS X with Bluetooth support may unintentionally allow files
    to be exchanged with other systems by default.
    (CAN-2004-1332)

    VU#354486 - Apple Mac OS X Server Netinfo Setup Tool fails to validate
    command line parameters

    Apple Mac OS X Server NeST tool contains a vulnerability in the
    processing of command line arguments that could allow a local attacker
    to execute arbitrary code.
    (CAN-2004-0594)

    Please note that Apple Security Update 2005-005 addresses additional
    vulnerabilities not described above. As further information becomes
    available, we will publish individual Vulnerability Notes.

    II. Impact

    The impacts of these vulnerabilities vary, for information about
    specific impacts please see the Vulnerability Notes. Potential
    consequences include remote execution of arbitrary code or commands,
    disclosure of sensitive information, and denial of service.

    III. Solution

    Install an Update

    Install the update as described in Apple Security Update 2005-005.

    Appendix A. References

    * US-CERT Vulnerability Note VU#582934 -
    <http://www.kb.cert.org/vuls/id/582934>

    * US-CERT Vulnerability Note VU#258390 -
    <http://www.kb.cert.org/vuls/id/258390>

    * US-CERT Vulnerability Note VU#331694 -
    <http://www.kb.cert.org/vuls/id/331694>

    * US-CERT Vulnerability Note VU#706838 -
    <http://www.kb.cert.org/vuls/id/706838>

    * US-CERT Vulnerability Note VU#539110 -
    <http://www.kb.cert.org/vuls/id/539110>

    * US-CERT Vulnerability Note VU#354486 -
    <http://www.kb.cert.org/vuls/id/354486>

    * US-CERT Vulnerability Note VU#882750 -
    <http://www.kb.cert.org/vuls/id/882750>

    * US-CERT Vulnerability Note VU#537878 -
    <http://www.kb.cert.org/vuls/id/537878>

    * US-CERT Vulnerability Note VU#125598 -
    <http://www.kb.cert.org/vuls/id/125598>

    * US-CERT Vulnerability Note VU#356070 -
    <http://www.kb.cert.org/vuls/id/356070>

    * Apple Security Update 2005-005 -
    <http://docs.info.apple.com/article.html?artnum=301528>
    __________________________________________________ _______________

    These vulnerabilities were discovered by several people and reported
    in Apple Security Update 2005-005. Please see the Vulnerability Notes
    for individual reporter acknowledgements.
    __________________________________________________ _______________

    Feedback can be directed to the authors: Jeffrey Gennari and Jason
    Rafail.
    __________________________________________________ _______________

    Copyright 2005 Carnegie Mellon University. Terms of use

    Revision History

    May 16, 2005: Initial release
    Last updated May 16, 2005
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)


    -----END PGP SIGNATURE-----
    Epic CashEpic Cash works for me
    Solar Cash Paysite Plugin
    Gallery of the day freesites,POTD,Gallery generator with free hosting
  • videoxpix
    Confirmed User
    • Nov 2003
    • 267

    #2
    Thanks for the heads up
    Go Fuck Yourselves!

    Comment

    • jimmyf
      OU812
      • Feb 2001
      • 12651

      #3
      Originally posted by videoxpix
      Thanks for the heads up
      I don't use a Mac but, thought you guys that did might want 2 know.

      so bump for the wacko Mac user


      just kidding on the wacko
      Epic CashEpic Cash works for me
      Solar Cash Paysite Plugin
      Gallery of the day freesites,POTD,Gallery generator with free hosting

      Comment

      • wimpy
        Confirmed User
        • Jan 2003
        • 607

        #4
        This must be a few days old at least, I updated patches last week, just checked for new patches and none found.
        Fyodor Dostoyevsky wrote: "Every man has reminiscences which he would not tell to everyone but only his friends. He has other matters in his mind which he would not reveal even to his friends, but only to himself, and that in secret. But there are other things which a man is afraid to tell even to himself, and every decent man has a number of such things stored away in his mind."

        icq 8243657

        Comment

        • nuttyrom
          Confirmed User
          • Jan 2003
          • 256

          #5
          yeah, i got my g5 updated. thanks for the heads up

          Comment

          • reynold
            Too lazy to set a custom title
            • Oct 2002
            • 51271

            #6
            I don't think it will be useful for me, I'm sorry I am not a Mac User..

            Comment

            • Jace
              FBOP Class Of 2013
              • Jan 2004
              • 35562

              #7
              don't macs update automatically?

              wait, just checked mine, they don't if you have automatic updates turned off..

              thanks

              Comment

              • MissMiranda
                Confirmed User
                • Jul 2004
                • 583

                #8
                damn, I thought this was about makeup.

                J/K

                Comment

                • Tango
                  Let's Tango!
                  • Apr 2005
                  • 1570

                  #9
                  got the update - thx
                  ADULTS.com / ADULTS.net for sale

                  AFFILIATE.com also for sale

                  Serious Inquiries Only:
                  Email: [email protected] for offers

                  Comment

                  Working...