• Information Security Office
• Secure Computing
• Security Alerts
• Apple Releases June 2007 Security Update for Two Vulnerabilities

Security Alerts

June 22, 2007

Apple Releases June 2007 Security Update for Two Vulnerabilities

Summary

On April 19, 2007, Apple released Security Update APPLE-SA-2007-06-22 to correct two security vulnerabilities. The patches are for:

• Webcore, where visiting a malicious website may allow cross-site requests.
• WebKit, where visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
  

It is important that all Macintosh systems be patched.

What to Do

Security Update 2007-006 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.9 (PowerPC) or later
and Mac OS X Server v10.4.9 (PowerPC) or later
The download file is named: "SecUpd2007-006Ti.dmg"
Its SHA-1 digest is: 14ba95e8d6e795b9d0f99b614fe426d643edf15e

For Mac OS X v10.4.9 (Universal) or later
and Mac OS X Server v10.4.9 (Universal) or later
The download file is named: "SecUpd2007-006Univ.dmg"
Its SHA-1 digest is: 68fe035d8653de6e4d27da92d4dbf77c53c1f214

For Mac OS X v10.3.9 and Mac OS X Server v10.3.9
The download file is named: "SecUpd2007-006Pan.dmg"
Its SHA-1 digest is: 8c085ef167f1bfa92ec9e34834181bb034686e8a

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

Technical Details

The following is a list of the vulnerabilities and their corresponding fixes:

WebCore
CVE-ID: CVE-2007-2401
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when
serializing headers into an HTTP request. By enticing a user to
visit a maliciously crafted web page, an attacker could conduct
cross-site scripting attacks. This update addresses the issue by
performing additional validation of header parameters. Credit to
Richard Moore of Westpoint Ltd. for reporting this issue.

WebKit
CVE-ID: CVE-2007-2399
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets
could lead to memory corruption. Visiting a maliciously crafted web
page may lead to an unexpected application termination or arbitrary
code execution. Credit to Rhys Kidd of Westnet for reporting this
issue.

References

Additional information regarding these vulnerabilities is available at

• http://docs.info.apple.com/article.html?artnum=61798