Security Alerts
February 21, 2007
Apple Releases February 2007 Security Update for Multiple Vulnerabilities
Summary
On February 15, 2007, Apple released Security Update 2007-002 to correct multiple vulnerabilities for the Macintosh OS and corresponding component/applications. This combined security update is designed to fix four (4) security vulnerabilities in Finder, ichat, and UserNotification. Unless noted, all these vulnerabilities can lead to arbitrary crash, arbitrary code execution, or elevation of system privileges if left unpatched.
What to Do
Security Update 2007-002 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.8 (PowerPC)
The download file is named: "SecUpd2007-002Ti.dmg"
Its SHA-1 digest is: 79da4e0f61288277f9896e761903abf748d2dc21
For Mac OS X v10.4.8 (Intel)
The download file is named: "SecUpd2007-002Univ.dmg"
Its SHA-1 digest is: 9a4b97853ac05ff407a8b8fe0906d916e219648b
For Mac OS X v10.3.9
The download file is named: "SecUpd2007-002Pan.dmg"
Its SHA-1 digest is: 81199248bf7218d8788663153131ab51d31320a1
Technical Details
The following is a list of the vulnerabilities and their corresponding fixes:
Finder
CVE-ID: CVE-2007-0197
Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Mounting a maliciously-crafted disk image may lead to an application crash or arbitrary code execution.
Description: A buffer overflow exists in Finder's handling of volume names. By enticing a user to mount a malicious disk image, an attacker could trigger this issue, which may lead to an application crash or arbitrary code execution. A proof of concept for this issue has been published on the Month of Apple Bugs web site (MOAB-09-01-2007). This update addresses the issue by performing additional validation of disk images. This issue does not affect systems prior to Mac OS X v10.4.
iChat
CVE-ID: CVE-2007-0614, CVE-2007-0710
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Attackers on the local network may be able to cause iChat to crash.
Description: A null pointer dereference in iChat's Bonjour message handling could allow a local network attacker to cause an application crash. A proof of concept for this issue in Mac OS X v10.4 has been published on the Month of Apple Bugs web site (MOAB-29-01-2007). This update addresses the issues by performing additional validation of Bonjour messages.
iChat
CVE-ID: CVE-2007-0021
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Visiting malicious websites may lead to an application crash or arbitrary code execution.
Description: A format string vulnerability exists in the iChat AIM URL handler. By enticing a user to access a maliciously-crafted AIM URL, an attacker can trigger the overflow, which may lead to anapplication crash or arbitrary code execution. A proof of concept for this issue has been published on the Month of Apple Bugs web site (MOAB-20-01-2007). This update addresses the issue by performing additional validation of AIM URLs.
UserNotification
CVE-ID: CVE-2007-0023
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Malicious local users may be able to obtain system privileges.
Description: The UserNotificationCenter process runs with elevated privileges in the context of a local user. This may allow a malicious local user to overwrite or modify system files. A program that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-22-01-2007). This update addresses the issue by having UserNotificationCenter drop its group privileges immediately after launching.
References
Additional information regarding these vulnerabilities is available at