Vulnerability Identifiers: APSB08-19, APSB08-13, APSA09-01; all platforms (Windows, MAC)

There are two Adobe Acrobat security vulnerabilities which have recently been seen on Stanford machines. These involve a series of critical JavaScript vulnerabilities (APSB08-19, APSB08-13). They affect Acrobat and Reader versions 7 and 8, but not version 9. Updating to versions 7.1.0, 8.1.3, or 9 will patch these vulnerabilities. Security updates for these are now available as BigFix fixlets (Windows only) for console operators to manually deploy. Updates are also directly available from Adobe. Acrobat versions 8.X may require four maximum layered updates, depending on which 8.X version you have : update from Acrobat 8.0 to Acrobat 8.1, 8.1 to 8.1.1, 8.1.1 to 8.1.2, then 8.1.2 to 8.1.3. The Information Security Office recommends system administrators and BigFix Console Operators check to see if they have machines which are vulnerable and apply the updates on applicable systems, either directly from Adobe or as a BigFix fixlet(s).

Additionally On February 19th 2009, Adobe identified another critical vulnerability in Adobe Reader 9 and Acrobat 9 and earlier versions of these products (APSA09-01). This vulnerability could cause the application to crash and potentially allow an attacker to take control of the affected system. Adobe has announced plans to release a patch update by March 11, 2009 for version 9, and a followup round for versions 7/8 by March 18th, 2009. In the mean time, many sources including Adobe recommend users disable support for JavaScript in Adobe Reader/Acrobat to prevent exploitation. While this may prevent many of the exploits from successfully executing arbitrary code, it does not protect against the vulnerability itself. Working exploits have been crafted without the use of JavaScript ( http://secunia.com/blog/44/ ). Users of Adobe Reader/Acrobat should be advised to exercise caution when deciding which PDF files to open regardless whether JavaScript was disabled or not. System administrators and BigFix Console Operators should watch for the patch from Adobe and apply the update on applicable systems.

**** SU BigFix Fixlets Available to Patch for APSB08-19 & APSB08-13 *****

Acrobat Version 7 BigFix Fixlets:
9071008 Adobe Acrobat 7.1.0 Available - Update to Acrobat 7.1.0 (Professional Edition)
9071009 Adobe Acrobat 7.1.0 Available - Update to Acrobat 7.1.0 (Standard Edition)

Reader 7 BigFix Fixlets:
8071001 Adobe Reader 7.1.0 Available - Update to Reader 7.1.0

Acrobat 8 BigFix Fixlets:
9081002 Adobe Acrobat 8.1 Available - Update from Adobe Acrobat 8.0
9081001 Adobe Acrobat 8.1.1 Available - Update from Adobe Acrobat 8.1.0
9081003 Adobe Acrobat 8.1.2 Available - Update from Adobe Acrobat 8.1.1
9081007 Adobe Acrobat 8.1.3 Available - Update from Adobe Acrobat 8.1.2

Reader 8 BigFix Fixlet:
8081002 Adobe Reader 8.1.3 - Update to Reader 8.1.3

**** Adobe Security Update Sites to Patch for APSB08-19 & APSB08-13 *******

APSB08-13 Security Updates available for Adobe Reader and Acrobat 7 and 8
(all O/S platforms, affected versions: 8.1.2 and earlier 7.X / 8.X )

http://www.adobe.com/support/security/bulletins/apsb08-13.html

APSB08-19 Security Update for Adobe Reader 8 and Acrobat 8
(all O/S platforms, affected versions: 8.1.1 and earlier 8.X)

http://www.adobe.com/support/security/bulletins/apsb08-19.html

What To Do

Background

Over the holiday weekend (2/15-2/18) many Stanford email users began receiving fraudulent messages asking them to verify their email accounts by replying with account details, including passwords. These messages do not come from Stanford. Their "Reply-To" addresses are anonymous accounts in non-Stanford domains such as "live.com", "gmail.com", and "googlemail.com".

If you receive messages asking for account passwords, please DO NOT REPLY. Neither Stanford nor any other reputable business or institution would ask for your password via email.

These messages are a "phishing" scam, used to trick the unwary into giving their account credentials to an anonymous attacker who then takes over the account and uses it to launch other attacks. We have had several confirmed reports of Stanford accounts being compromised by this scam.

The ITS email team began blocking these incoming messages at the central mail servers on Saturday, February 16. As a further precaution, replies to the currently known attackers' addresses are being blocked at the central servers to prevent exposing any more accounts.

Because the attackers are using anonymous accounts, they can change addresses at any time to avoid identification. ITS will continue to block new addresses as they are discovered, but it will continue to be an arms race and blocking will never be 100% effective. So be on the lookout for new variations of this scam, and remember that you should never send someone your SUNet password for any reason.

Thank you,
Stanford Information Security Office

On January 8, 2008 Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. The Microsoft bulletin lists two (2) security vulnerabilities, one critical and one important. The critical patch addresses the vulnerability in TCP/IP processing which can lead to remote code execution if unpatched. The other addresses a vulnerability in the Microsoft Windows Local Security Authority Subsystem Service (LSASS) which when exploited could lead to local elevation of privilege and complete system compromise. The affected operating system platforms are:

* Windows Server 2003
* Windows XP
* Windows 2000 SP4
* Windows Small Business Server 2003 Service Pack 2
* Windows Vista

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. Stanford's BigFix will be delivering all these patches. Details are in the Technical Details section of this post.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. Individual updates can be downloaded by going to the Summary section of this Microsoft site. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Details

It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, those with an * delivered via BigFix:

Critical (1)

*MS08-001 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
Impact: Remote Code Execution

Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability - CVE-2007-0069
A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3. In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Important (1)

*MS08-002 Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485)
Impact: Local Elevation of Privilege

LSASS Bypass Vulnerability - CVE-2007-5352
An elevation of privilege vulnerability exists in the Microsoft Windows Local Security Authority Subsystem Service (LSASS) due to its improper handling of local procedure call (LPC) requests. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Affected Platforms and Applications:

Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Small Business Server 2003 Service Pack 2
Windows Vista
Windows Vista x64 Edition

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx

This vulnerability requires a user to be logged in locally or executing code
on a host, and can be accomplished remotely via remote desktop
applications such as Citrix and Windows Terminal Services (RDP). A few
Stanford hosts were recently compromised via the Critix route, and it is
imperative that measures be undertaken to remove the vulnerable driver from
Windows 2003 Server hosts. An alternate route of entry would be to combine
an exploit for this vulnerability with another user-based remote exploit
(e.g. worm). This would allow the attacker to launch a remote attack, to
execute code that would then launch this attack, and subsequently elevate
system privileges.

Since there is no patch released to date from either Microsoft or
Macrovision, at the moment we recommend the vulnerable driver be removed
from installed Windows 2003 Server hosts here on campus. The ITS Windows
Systems Team has provided steps to manually remove the driver via the
command line interface, and to restore it (backout) if necessary.

If a backout strategy is needed, backup (export) the original secdrv
registry key and save a copy of "secdrv.sys" to a temp directory (or
removable
disk) before performing the removal steps. For example, you can create a
temp directory "c:\secdrv" for the registry key and the driver.
In this case, you can run RegEdt32 for the command line, navigate to the
following registry key:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secdrv"

and export it ( File/export....) to the temp directory. Then copy the secdrv
driver to the temp directory (or flash drive):

Copy c:\windows\system32\drivers\secdrv.sys c:\secdrv

You will import the registry key back into the system if you choose to
backout, and these steps are detailed below.

---------------------------------------------------------------------------------------------------------------------------

To uninstall "secdrv.sys" from Windows 2003 Server, run the following
script with administrator privilege:

REM ***** (remark) Stops driver if running *****

sc stop secdrv

REM ***** Deletes vuln driver from OS **********

sc delete secdrv

REM ***** Deletes vuln driver file from file systems ******

del c:\windows\system32\drivers\secdrv.sys

REM ****** Done! ********

--------------------------------------------------------------------------------------------------------------------------

To restore secdrv.sys (backout) on Windows 2003 Server, run the following
with administrator privilege:

REM ***** Copy the driver back to the system driver directory *******

Copy c:\secdrv\secdrv.sys c:\windows\system32\drivers

REM ***** Import/merge the backup "secdrv.sys" registry key - auto import
by double clicking the exported registry file, or via RegEdt32
(File/import...)

REM **** Recreate the Secdrv service *****************

sc create secdrv binpath= c:\windows\system32\drivers\secdrv.sys

REM ***** Start the secdrv service in necessary (if it was running
before)

sc start secdrv

REM ***** Done

!! Note the space character between "=" and
"c:\windows\system32\drivers\secdrv.sys"
An alternate method to restore "secdrv.sys" is to omit the "SC create" step
and reboot the server.

When the removal process satisfactory, you can delete the secdrv driver
from temp folder.

The ISO would like to thank Jason Craig, Sean Riordan, and the ITS Windows
Systems Group for their assistance and support.

Reference:

http://www.symantec.com/enterprise/security_response/weblog/2007/10/privilege_escalation_exploit_i.html

http://www.securityfocus.com/bid/26121/info

http://research.eeye.com/html/alerts/zeroday/20071016.html

On August 14, 2007 Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. The Microsoft bulletin lists nine (9) security vulnerabilities, with six (6) listed as critical and three (3) listed as important. The six critical ones are patches for XML Core Services (IE web browser), Object Linking and Embedding (OLE), Microsoft Excel, Internet Explorer, Graphics Rendering Engine (GDI), and the Vector Markup Language (VML) which all can lead to remote execution when a system is left unpatched. The three remaining important patches are for Windows Media Player, Windows Gadgets, and Virtual PC which can lead to remote code execution or elevation of privilege if left unpatched. The affected operating system platforms are:

* Windows Server 2003
* Windows XP
* Windows 2000 SP4
* Windows Vista

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. The Windows Gadgets patch only applies to Vista systems. Stanford's BigFix will be delivering all these patches except for these two: the Virtual PC patch because of its low install base here on campus, and the Excel patch which will require a local administrator to intervene. Details are in the Technical Details section of this post.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all this months's patches except the Virtual PC and Excel patches. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Details

It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, those with an * delivered via BigFix:

Critical (6)

*MS07-042 - Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)
Impact: Remote Code Execution

Microsoft XML Core Services Vulnerability - CVE-2007-2223
A remote code execution vulnerability exists in Microsoft XML Core Services that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

*MS07-043 - Vulnerability in OLE Automation Could Allow Remote Code Execution (921503)
Impact: Remote Code Execution

OLE Automation Memory Corruption Vulnerability - CVE-2007-2224
A remote code execution vulnerability exists in Object linking and embedding (OLE) Automation that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS07-044 - Vulnerability in Microsoft Excel Could Allow Remote Code Execution (940965)
Impact: Remote Code Execution

Workspace Memory Corruption Vulnerability – CVE-2007-3890
A remote code execution vulnerability exists in the way Excel handles malformed Excel files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a malicious or compromised Web site.

*MS07-045 - Cumulative Security Update for Internet Explorer (937143)
Impact: Remote Code Execution

CSS Memory Corruption Vulnerability - CVE-2007-0943
A remote code execution vulnerability exists in the way Internet Explorer parses certain strings in CSS. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user..

ActiveX Object Vulnerability - CVE-2007-2216
A remote code execution vulnerability exists in the ActiveX control, tblinf32.dll. This control can also be found under the name of vstlbinf.dll. Both of these components were never intended to be supported in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited the Web page. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

ActiveX Object Memory Corruption Vulnerability - CVE-2007-3041
A remote code execution vulnerability exists in the ActiveX object, pdwizard.ocx. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

*MS07-046 - Vulnerability in GDI Could Allow Remote Code Execution (938829)
Impact: Remote Code Execution

Remote Code Execution Vulnerability in GDI– CVE-2007-3034
A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles specially crafted images. An attacker could exploit the vulnerability by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in e-mail.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

*MS07-050 - Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127)
Impact: Remote Code Execution

VML Buffer Overrun Vulnerability - CVE-2007-1749
A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail. When a user views the Web page or the message, the vulnerability could allow remote code execution.

Important (3)

*MS07-047 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (936782)
Impact: Remote Code Execution

Windows Media Player Code Execution Vulnerability Parsing Skins – CVE-2007-3037
A code execution vulnerability exists in Windows Media Player skin parsing. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Windows Media Player Code Execution Vulnerability Decompressing Skins - CVE-2007-3035
A remote code execution vulnerability exists in Windows Media Player an attacker who successfully exploited this vulnerability could take complete control of an affected system.

*MS07-048 - Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123)
Impact: Remote Code Execution

Windows Vista Feed Headlines Gadget Could Allow Remote Code Execution – CVE-2007-3033
A remote code execution vulnerability exists in Windows Vista Feed Headlines Gadgets that could allow a remote anonymous attacker to run code with the privileges of the logged on user.

Windows Vista Contacts Gadget Could Allow Code Execution – CVE-2007-3032
A code execution vulnerability exists in Windows Vista Contacts Gadget that could allow an attacker to run code with the privileges of the logged on user.

Windows Vista Weather Gadget Could Allow Remote Code Execution – CVE-2007-3891
A remote code execution vulnerability exists in Windows Vista Weather Gadgets that could allow an attacker to run code with the privileges of the logged on user.

MS07-049 - Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986)
Impact: Elevation of Privilege

Virtual PC and Virtual Server Heap Overflow Vulnerability - CVE-2007-0948
An elevation of privilege vulnerability exists in Microsoft Virtual PC and Microsoft Virtual Server that could allow a user with administrator permissions to the guest operating system to run code on the host operating system or other guest operating systems. An attacker with administrator permissions to the guest operating system, could exploit the vulnerability by running specially crafted code on the guest operating system. This could result in a heap overflow on the host or other guest operating systems. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Affected Platforms and Applications:

Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 for Itanium-based Systems
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Service Pack 2
Windows Vista
Windows Vista x64 Edition

Internet Explorer 5.01/6/7

Windows Media Player 7.1 on Microsoft Windows 2000 Service Pack 4
Windows Media Player 9 when installed on Microsoft Windows 2000 Service Pack 4
Windows Media Player 9 on Windows XP Service Pack 2
Windows Media Player 10 when installed on Windows XP Service Pack 2
Windows Media Player 10 on Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Media Player 10 on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Media Player 10 on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Media Player 11 when installed on Windows XP Service Pack 2
Windows Media Player 11 on Windows XP Professional X64 Edition and Windows XP Professional X64 Edition Service Pack 2
Windows Media Player 11 in Windows Vista
Windows Media Player 11 in Windows Vista x64 Edition
Microsoft Virtual PC 2004
Microsoft Virtual PC 2004 Service Pack 1
Microsoft Virtual Server 2005 Standard Edition
Microsoft Virtual Server 2005 Enterprise Edition
Microsoft Virtual Server 2005 R2 Standard Edition
Microsoft Virtual Server 2005 R2 Enterprise Edition
Microsoft Virtual PC for Mac Version 6.1
Microsoft Virtual PC for Mac Version 7
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2003 Service Pack 2 with Microsoft XML Core Services 5.0 (KB936048)
Microsoft Excel Viewer 2003
Microsoft Office 2004 for Mac
2007 Office System with Microsoft XML Core Services 5.0 (KB936960)
Microsoft Office Groove Server 2007 with Microsoft XML Core Services 5.0 (KB936056)
Microsoft Office SharePoint Server with Microsoft XML Core Services 5.0 (KB936056)
Microsoft Visual Basic 6.0 Service Pack 6 (KB924053)

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx

On April 19, 2007, Apple released Security Update APPLE-SA-2007-06-22 to correct two security vulnerabilities. The patches are for:

• Webcore, where visiting a malicious website may allow cross-site requests.
• WebKit, where visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
  

It is important that all Macintosh systems be patched.

What to Do

Security Update 2007-006 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.9 (PowerPC) or later
and Mac OS X Server v10.4.9 (PowerPC) or later
The download file is named: "SecUpd2007-006Ti.dmg"
Its SHA-1 digest is: 14ba95e8d6e795b9d0f99b614fe426d643edf15e

For Mac OS X v10.4.9 (Universal) or later
and Mac OS X Server v10.4.9 (Universal) or later
The download file is named: "SecUpd2007-006Univ.dmg"
Its SHA-1 digest is: 68fe035d8653de6e4d27da92d4dbf77c53c1f214

For Mac OS X v10.3.9 and Mac OS X Server v10.3.9
The download file is named: "SecUpd2007-006Pan.dmg"
Its SHA-1 digest is: 8c085ef167f1bfa92ec9e34834181bb034686e8a

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

Technical Details

The following is a list of the vulnerabilities and their corresponding fixes:

WebCore
CVE-ID: CVE-2007-2401
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when
serializing headers into an HTTP request. By enticing a user to
visit a maliciously crafted web page, an attacker could conduct
cross-site scripting attacks. This update addresses the issue by
performing additional validation of header parameters. Credit to
Richard Moore of Westpoint Ltd. for reporting this issue.

WebKit
CVE-ID: CVE-2007-2399
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets
could lead to memory corruption. Visiting a maliciously crafted web
page may lead to an unexpected application termination or arbitrary
code execution. Credit to Rhys Kidd of Westnet for reporting this
issue.

References

Additional information regarding these vulnerabilities is available at

• http://docs.info.apple.com/article.html?artnum=61798

On April 19, 2007, Apple released Security Update APPLE-SA-2007-04-19 to correct twenty five (25) security vulnerabilities. Of particular importance are patches for:

• Kerberos, where an uninitialized function pointer vulnerability exists in the MIT Kerberos administration daemon (kadmind), which may lead to an unexpected application termination or arbitrary code execution with system privileges.
• URLMount, where the username and password used to mount remote file systems through connections to SMB servers (e.g. Windows) are passed as command line arguments, which may expose them to other local users.
• HID family , where console keyboard events are exposed to other users on the local system and allow any logged in user to capture console keystrokes, including passwords and other sensitive information.
• Fetchmail, where mail may send passwords in plain text, even when configured to use TLS.
• Libinfo (portmap) , where remote attackers may be able to cause a denial of service or arbitrary code execution if the portmap service is enabled.
• Network_cmds, where emote attackers may be able to cause a denial of service or arbitrary code execution if Internet Sharing is enabled.
• ftpd, where FTP operations by authenticated FTP users may lead to arbitrary code execution.
  
• iChat's VideoConference , where remote attackers may be able to cause an unexpected application termination or arbitrary code execution if iChat is running.
  
• AirPort, where a local user may be able to execute arbitrary code with elevated privileges
  
  

Unless noted, all vulnerabilities can lead to arbitrary crash or arbitrary code execution if left unpatched. It is important that all Macintosh systems be patched.

What to Do

Security Update 2007-004 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.9 (PowerPC) and Mac OS X Server v10.4.9 (PowerPC)
The download file is named: "SecUpd2007-004Ti.dmg"
Its SHA-1 digest is: 710afb28b12113a6b6570c36d4a87302cc5b4d8c

For Mac OS X v10.4.9 (Universal) and
Mac OS X Server v10.4.9 (Universal)
The download file is named: "SecUpd2007-004Univ.dmg"
Its SHA-1 digest is: 6d6c39a7068bfbf403da493f49ed23a5b10bc6bb

For Mac OS X v10.3.9
The download file is named: "SecUpd2007-004Pan.dmg"
Its SHA-1 digest is: 0ae26e2a2e9dfc68636993344bf33db13a28ea25

For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2007-004Pan.dmg"
Its SHA-1 digest is: 1c7eb4f36bdd3cd3dc037a16f3cf63e977a7162e

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

Technical Details

The following is a list of the vulnerabilities and their corresponding fixes:

AFP Client
CVE-ID: CVE-2007-0729
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local user may obtain system privileges
Description: Under certain circumstances, AFP Client may execute
commands without properly cleaning the environment. This may allow a
local user to create files or execute commands with system
privileges. This update addresses the issue by cleaning the
environment prior to executing commands.

AirPort
CVE-ID: CVE-2007-0725
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local user may be able to execute arbitrary code with
elevated privileges
Description: A buffer overflow vulnerability exists in the
AirPortDriver module which processes control commands for AirPort. By
sending malformed control commands, a local user could trigger the
overflow which may lead to arbitrary code execution with elevated
privileges. This issue affects eMac, iBook, iMac, PowerBook G3,
PowerBook G4, and Power Mac G4 systems equipped with an original
AirPort card. This issue does not affect systems with the AirPort
Extreme card. This update addresses the issue by performing proper
bounds checking.

CarbonCore
CVE-ID: CVE-2007-0732
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local user may be able to execute arbitrary code with
elevated privileges
Description: The CoreServices daemon could allow a local user to
obtain a send right to its Mach task port, which may lead to
arbitrary code execution with elevated privileges. This update
addresses the issue by through improved checks in the CoreServices
interprocess communication. This issue does not affect systems prior
to Mac OS X v10.4.

diskdev_cmds
CVE-ID: CVE-2007-0734
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Opening a maliciously-crafted UFS disk image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption vulnerability exists in fsck. It is
possible to cause fsck to be run automatically on a disk image when
it is opened. By enticing a user to open a maliciously-crafted disk
image, or to run fsck on any maliciously-crafted UFS filesystem, an
attacker could trigger the issue which may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of UFS
filesystems.

fetchmail
CVE-ID: CVE-2006-5867
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: fetchmail may send passwords in plain text, even when
configured to use TLS
Description: fetchmail is updated to version 6.3.6 to fix a
vulnerability that could allow authentication credentials to be sent
in plain text, despite being configured to use TLS. This issue is
described on the fetchmail web site at
http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt

ftpd
CVE-ID: CVE-2006-6652
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9
Impact: FTP operations by authenticated FTP users may lead to
arbitrary code execution
Description: lukemftpd has been updated to version tnftpd 20061217
to address a buffer overflow vulnerability in the handling of
commands with globbing characters that could lead to arbitrary code
execution. This issue does not affect Mac OS X Server v10.3.9 or
Mac OS X Server v10.4.9. Credit to Kevin Finisterre of
DigitalMunition for reporting this issue.

GNU Tar
CVE-ID: CVE-2006-0300
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Listing or extracting a maliciously-crafted tar archive
may lead to an unexpected application termination or arbitrary
code execution
Description: A buffer overflow vulnerability exists in the handling
of PAX extended headers in GNU tar archives. By enticing a local user
to list or extract a maliciously-crafted tar archive, an attacker can
trigger the overflow which may lead to an unexpected application
termination or arbitrary code execution. This issue has been
addressed by performing additional validation of tar files. This
issue does not affect systems prior to Mac OS X 10.4.

Help Viewer
CVE-ID: CVE-2007-0646
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Opening a help file with a maliciously-crafted name may
lead to an unexpected application termination or arbitrary code
execution
Description: A format string vulnerability exists in the Help Viewer
application. By enticing a user to download and open a help file with
a maliciously-crafted name, an attacker can trigger the vulnerability
which may lead to an unexpected application termination or arbitrary
code execution. This has been described on the Month of Apple Bugs
web site (MOAB-30-01-2007). This update addresses the issue by
eliminating any format string processing of file names.

HID Family
CVE-ID: CVE-2007-0724
Available for: Mac OS X v10.4 through Mac OS X v10.4.9,
Mac OS X Server v10.4 through Mac OS X Server v10.4.9
Impact: Console keyboard events are exposed to other users on the
local system
Description: Insufficient controls in the IOKit HID interface allow
any logged in user to capture console keystrokes, including passwords
and other sensitive information. This update addresses the issue by
limiting HID device events to processes belonging to the current
console user. Credit to Andrew Garber of University of Victoria, Alex
Harper, and Michael Evans for reporting this issue. This fix was
originally distributed via the Mac OS X v10.4.9 update. Due to a
packaging issue, it may not have been delivered to all systems. This
update redistributes the fix in order to reach all affected systems.

Installer
CVE-ID: CVE-2007-0465
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Opening an installer package with a maliciously-crafted
name may lead to an unexpected application termination or
arbitrary code execution
Description: A format string vulnerability exists in the Installer
application. By enticing a user to download and install an installer
package with a maliciously-crafted file name, an attacker can trigger
the vulnerability which may lead to an unexpected application
termination or arbitrary code execution. This issue has been
described on the Month of Apple Bugs web site (MOAB-26-01-2007).
This update addresses the issue by eliminating any format string
processing of file names. This issue does not affect systems prior
to Mac OS X v10.4.

Kerberos
CVE-ID: CVE-2006-6143
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Running the Kerberos administration daemon may lead to
an unexpected application termination or arbitrary code
execution with system privileges
Description: An uninitialized function pointer vulnerability exists
in the MIT Kerberos administration daemon (kadmind), which may lead
to an unexpected application termination or arbitrary code execution
with system privileges. Further information on the issue and the
patch applied is available via the MIT Kerberos website at
http://web.mit.edu/kerberos/ advisories/MITKRB5-SA-2006-002-rpc.txt
This issue does not affect systems prior to Mac OS X v10.4. Credit to
the MIT Kerberos Team and an anonymous researcher working with
iDefense for reporting this issue.

Kerberos
CVE-ID: CVE-2007-0957
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Running the Kerberos administration daemon or the KDC may
lead to an unexpected application termination or arbitrary code
execution with system privileges
Description: A stack buffer overflow vulnerability exists in the MIT
Kerberos administration daemon (kadmind), as well as the KDC, which
may lead to an unexpected application termination or arbitrary code
execution with system privileges. Further information on the issue
and the patch applied is available via the MIT Kerberos website at
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt
Credit to the MIT Kerberos Team for reporting this issue.

Kerberos
CVE-ID: CVE-2007-1216
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Running the Kerberos administration daemon may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A double-free vulnerability exists in the GSS-API
library used by the MIT Kerberos administration daemon
(kadmind), which may lead to an unexpected application
termination or arbitrary code execution with system privileges.
Further information on the issue and the patch applied is
available via the MIT Kerberos website at
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt
Credit to the MIT Kerberos Team for reporting this issue.

Libinfo
CVE-ID: CVE-2007-0735
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Visiting malicious websites may lead to an unexpected
application termination or arbitrary code execution
Description: In some cases, Libinfo does not correctly report errors
to applications that use it. By enticing a user to visit a
maliciously-crafted web page, an attacker can cause a previously
deallocated object to be accessed, which may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing appropriate error reporting in
Libinfo. Credit to Landon Fuller of Three Rings Design for reporting
this issue.

Libinfo
CVE-ID: CVE-2007-0736
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Remote attackers may be able to cause a denial of service or
arbitrary code execution if the portmap service is enabled
Description: An integer overflow vulnerability exists in the RPC
library. By sending maliciously-crafted requests to the portmap
service, a remote attacker can trigger the overflow which may lead to
a denial of service or arbitrary code execution as the 'daemon' user.
This update addresses the issue by performing additional validation
of portmap requests. Credit to the Mu Security Research Team for
reporting this issue.

Login Window
CVE-ID: CVE-2007-0737
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local user may obtain system privileges
Description: Login Window does not sufficiently check its
environment variables. This could allow a local user to execute
arbitrary code with system privileges. This update addresses the
issue by through improved validation of Login Window environment
variables.

Login Window
CVE-ID: CVE-2007-0738
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: The screen saver authentication dialog may be bypassed
Description: Under certain conditions, the user's preference to
"require a password to wake the computer from sleep" is ignored, and
a password is not required to wake from sleep. This update addresses
the issue by through improved handling of this preference.

Login Window
CVE-ID: CVE-2007-0739
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: The loginwindow authentication dialog may be bypassed
Description: Under certain conditions, the software update window
may appear beneath the Login Window. This could allow a person with
physical access to the system to log in without authentication. This
update addresses the issue by only running scheduled tasks after the
user login. This issue does not affect systems prior to
Mac OS X v10.4.

network_cmds
CVE-ID: CVE-2007-0741
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Remote attackers may be able to cause a denial of service or
arbitrary code execution if Internet Sharing is enabled
Description: A buffer overflow vulnerability exists in the handling
of RTSP packets in natd. By sending malformed RTSP packets, a remote
attacker may be able to trigger the overflow which may lead to
arbitrary code execution. This issue only affects users who have
Internet Sharing enabled. This update addresses the issue by
performing additional validation of rtsp packets.

SMB
CVE-ID: CVE-2007-0744
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local user may obtain system privileges
Description: Under certain circumstances, SMB may execute commands
without properly cleaning the environment. This may allow a local
user to create files or execute commands with system privileges. This
update addresses the issue by cleaning the environment prior to
executing commands.

System Configuration
CVE-ID: CVE-2007-0022
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Local admin users may execute arbitrary code with system
privileges without authentication
Description: Admin users have the ability to alter system
preferences through the writeconfig utility. When the writeconfig
utility launches the launchctl utility, it does not clean the
environment inherited from the user. This could allow arbitrary code
execution with system privileges without authentication. This issue
has been described on the Month of Apple Bugs web site
(MOAB-21-01-2007). This update addresses the issue by cleaning the
environment before calling the launchctl utility.

*URLMount
CVE-ID: CVE-2007-0743
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local users may obtain other user's authentication
credentials
Description: The username and password used to mount remote
filesystems through connections to SMB servers are passed to the
mount_smb command as command line arguments, which may expose them to
other local users. This update addresses the issue by securely
passing the authentication credentials to the mount_smb command.
Credit to Daniel Ball of Pittsburgh Technical Institute, Geoff Franks
of Hauptman Woodward Medical Research Institute, and Jamie Cox of
Sophos Plc for reporting this issue.

*VideoConference
CVE-ID: CVE-2007-0746
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Remote attackers may be able to cause an unexpected
application termination or arbitrary code execution if iChat is
running.
Description: A heap buffer overflow vulnerability exists in the
VideoConference framework. By sending a maliciously-crafted SIP
packet when initializing an audio/video conference, an attacker can
trigger the overflow which may lead to arbitrary code execution. This
update addresses the issue by performing additional validation of SIP
packets.

WebDAV
CVE-ID: CVE-2007-0747
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local user may obtain system privileges
Description: When mounting a WebDAV filesystem, the load_webdav
program may be launched without properly cleaning the environment.
This may allow a local user to create files or execute commands with
system privileges. This update addresses the issue by cleaning the
environment prior to executing commands.

WebFoundation
CVE-ID: CVE-2007-0742
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Cookies set by subdomains may be accessible to the parent
domain
Description: An implementation issue allows cookies set by
subdomains to be accessible to the parent domain, which may lead to
the disclosure of sensitive information. This update addresses the
issue by performing additional validation of the domain to which a
cookie is being sent. This issue does not affect systems running
Mac OS X v10.4. Credit to Bradley Schwoerer of University of
Wisconsin-Madison for reporting this issue.

.

References

Additional information regarding these vulnerabilities is available at

• http://docs.info.apple.com/article.html?artnum=61798

On April 10, 2007 Microsoft released their monthly security bulletin (revision 2) with the latest security updates for workstations and servers. The Microsoft bulletin lists six (6) security vulnerabilities, with five (5) listed as critical and one (1) listed as important. All these patches should be applied. The five critical ones are patches for GDI (Graphical Device Interface), Content Management Server, Universal Plug and Play (UPnP), Microsoft Agent, and the Client/Server Run-time Subsystem (CSRSS) which all lead to remote execution when a system is left unpatched. The GDI patch includes the ANI cursor vulnerability fix that was released last week. A vulnerability in the Windows Kernel that could allow elevation of privilege is designated as important. Of particular importance is the UPnP patch, as an attacker who has successfully exploited this vulnerability could run arbitrary code in the context of a local service. The UPnP framework uses UDP port 1900 and TCP port 2869, and the Simple Service Discovery Protocol (SSDP) uses multicast remote searches to discover UPnP devices via these two ports. The affected operating system platforms are:

* Windows Server 2003
* Windows XP
* Windows 2000 SP4
* Windows Vista

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. All six patches will be delivered via BigFix. Details are in the Technical Details section of this post.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all six patches. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Details

It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, those with an * delivered via BigFix:

Critical (5)

*MS07-017 - Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
Impact: Remote Code Execution

GDI Local Elevation of Privilege Vulnerability - CVE-2006-5758 :
A privilege elevation vulnerability exists in the Graphics Rendering Engine in the way that it starts applications. This vulnerability could allow a logged on user to take complete control of the system.

WMF Denial of Service Vulnerability - CVE-2007-1211:
A denial of service vulnerability exists in Windows when rendering Windows Metafile (WMF) image format files. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding and possibly restart.

EMF Elevation of Privilege Vulnerability CVE-2007-1212:
An elevation of privilege vulnerability exists in the rendering of Enhanced Metafile (EMF) image format files. Any program that renders EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

GDI Invalid Window Size Elevation of Privilege Vulnerability - CVE-2006-5586:
A privilege elevation vulnerability exists in the Graphics Rendering Engine in the way that it renders layered application windows. This vulnerability could allow a logged on user to take complete control of the system.

Windows Animated Cursor Remote Code Execution Vulnerability - CVE-2007-0038:
A remote code execution vulnerability exists in the way that Windows handles cursor, animated cursor, and icon formats. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

GDI Incorrect Parameter Local Elevation of Privilege Vulnerability - CVE-2007-1215:
A local elevation of privilege vulnerability exists in the Graphics Device Interface due to the way it processes color-related parameters. This vulnerability could allow an attacker to take complete control of the system.

Font Rasterizer Local Elevation of Privilege Vulnerability - CVE-2007-1213:
A local elevation of privilege vulnerability exists in the TrueType Fonts rasterizer in the way that it handles defective or modified font types. This vulnerability could allow a logged-on user to take complete control of the system.

*MS07-018 - Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (925939)
Impact: Remote Code Execution

CMS Memory Corruption Vulnerability - CVE-2007-0938:
A remote code execution vulnerability exists in Content Management Server because of the way that it handles a specially crafted HTTP request.

Cross-site Scripting and Spoofing Vulnerability in CMS Vulnerability - CVE-2007-0939:
A cross-site scripting and spoofing vulnerability exists in Microsoft Content Management Server (MCMS) which could allow an attacker to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user. Attempts to exploit this vulnerability require user interaction. This vulnerability could allow an attacker access to any data on the affected systems that was accessible to the individual user.

*MS07-019 - Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261)
Impact: Remote Code Execution

UPnP Memory Corruption Vulnerability - CVE-2007-1204:
A remote code execution vulnerability exists in the Universal Plug and Play service in the way that it handles specially crafted HTTP requests. An attacker who has successfully exploited this vulnerability could run arbitrary code in the context of local service.

*MS07-020 - Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168)
Impact: Remote Code Execution

Microsoft Agent URL Parsing Vulnerability Could Allow Remote Code Execution- CVE-2007-1205:
A remote code execution vulnerability exists in Microsoft Agent in the way that it handles certain specially crafted URLs.

*MS07-021 - Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)
Impact: Remote Code Execution

MsgBox (CSRSS) Remote Code Execution Vulnerability - CVE-2006-6696:
A remote code execution vulnerability exists in the Windows Client/Server Run-time Subsystem (CSRSS) process because of the way that it handles error messages. An attacker could exploit the vulnerability by constructing a specially crafted application that could potentially allow remote code execution.

CSRSS Local Elevation of Privilege Vulnerability - CVE-2007-1209:
A privilege elevation vulnerability exists in the way that the Windows 32 Client/Server Run-time Subsystem (CSRSS) handles its connections during the startup and stopping of processes.

CSRSS DoS Vulnerability - CVE-2006-6797:
A denial of service vulnerability exists in the Client/Server Run-time Subsystem (CSRSS) service because of the way it handles error messages. An attacker could exploit the vulnerability by running a specially crafted application causing the system to restart.

Important (1)

*MS07-022 - Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784)
Impact: Elevation of Privilege

Kernel Local Elevation of Privilege Vulnerability - CVE-2007-1206:
A privilege elevation vulnerability exists in Windows Kernel because of incorrect permissions on a mapped memory segment. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Affected Platforms and Applications:

Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 for Itanium-based Systems
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Service Pack 2
Windows Vista
Windows Vista x64 Edition

Content Management Server 2001 Service Pack 1
Content Management Server 2002 Service Pack 2

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms07-apr.mspx

On March 13, 2007, Apple released Security Update APPLE-SA-2007-03-13 and MAC OS X v10.4.9, either which can be used to correct thirty (30) security vulnerabilities. Of particular importance are patches for vulnerabilities in:

• Servermgrd, which may allow remote attackers to access Server Manager without valid credentials.
• IOKit HID interface, where insufficient controls allow any logged in user to capture console keystrokes, including passwords and other sensitive information.
• AppleTalk protocol handler, where a heap buffer overflow can lead to denial of service or arbitrary code execution.
• DirectoryService, where an implementation flaw allows an unpriviledged LDAP user to change the local root password.
• CUPS service, where a partially-negotiated SSL connection with this service may lead to a denial of service.
• OpenSSH, where multiple vulnerabilities can lead to arbitrary code execution.
• QuickDraw and ImageIO, where opening a maliciously-crafted PICT, GIF, or RAW image may lead to an
  unexpected application termination or arbitrary code execution.
  
• My SQL Server, where multiple vulnerabilities exists that can lead to arbitrary code execution.
  
• Kernel, where using the fpathconf() or shared_region_make_private_np() system calls can lead to arbitrary code execution.
  
  

Unless noted, all vulnerabilities can lead to arbitrary crash or arbitrary code execution if left unpatched. It is important that all Macintosh systems be patched.

What to Do

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Mac OS X v10.4.9 or Security Update 2007-003.

Mac OS X v10.4.9 and Security Update 2007-003 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/


For Mac OS X v10.3.9
The download file is named: "SecUpd2007-003Pan.dmg"
Its SHA-1 digest is: 5b6cf9b8a9d0a9afc5d9196f2e54380e5dd6d9b6

For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2007-003Pan.dmg"
Its SHA-1 digest is: 89d57e9a5faa24e82a5991184468a611bc0bc0bc

For Mac OS X v10.4.8 (PowerPC)
The download file is named: "MacOSXUpd10.4.9PPC.dmg"
Its SHA-1 digest is: 380b0db5c8978a025cfc9b19e46845a51608d5be

For Mac OS X v10.4 (PowerPC) through v10.4.7 (PowerPC)
The download file is named: "MacOSXUpdCombo10.4.9PPC.dmg"
Its SHA-1 digest is: 32af8d8aacac4d696a339f3e11074f2f436c1772

For Mac OS X v10.4.8 (Intel)
The download file is named: "MacOSXUpd10.4.9Intel.dmg"
Its SHA-1 digest is: 80ce586b1f5640bd2fc191354013890b8f0c47dd

For Mac OS X v10.4.4 (Intel) through v10.4.7 (Intel)
The download file is named: "MacOSXUpdCombo10.4.9Intel.dmg"
Its SHA-1 digest is: 29c7a75a0ed2af9ed1f510e8a5c591c8dfeb9605

For Mac OS X Server v10.4.8 (PowerPC)
The download file is named: "MacOSXServerUpd10.4.9PPC.dmg"
Its SHA-1 digest is: 5c1ba866d515c476eae55a1dbfc7dd8226804bba

For Mac OS X Server v10.4 through v10.4.7 (PowerPC)
The download file is named: "MacOSXSrvrCombo10.4.9PPC.dmg"
Its SHA-1 digest is: 7b0df34abb43aace52e6298dbe2c3de24760745d

For Mac OS X Server v10.4.8 (Universal)
The download file is named: "MacOSXServerUpd10.4.9Univ.dmg"
Its SHA-1 digest is: 9c448563e8195f561ebac2f8d15ce4bf1c6d48f5

For Mac OS X Server v10.4.7 (Universal)
The download file is named: "MacOSXSrvrCombo10.4.9Univ.dmg"
Its SHA-1 digest is: 494e2949f101399a9691f138952f03331063bcf0

Information will also be posted to the Apple Security Updates
web site:
http://docs.info.apple.com/article.html?artnum=61798

Technical Details

The following is a list of the vulnerabilities and their corresponding fixes:

ColorSync
CVE-ID: CVE-2007-0719
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted image with an embedded
ColorSync profile may lead to an unexpected application
termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of
embedded ColorSync profiles. By enticing a user to open a
maliciously-crafted image, an attacker can trigger the overflow,
which may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of ColorSync profiles.

CoreGraphics
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a malformed PDF Document may lead to an
application hang
Description: CoreGraphics has been updated to address the issue
described on the Month of Apple Bugs web site (MOAB-06-01-2007),
which may lead to an application hang.

Crash Reporter
CVE-ID: CVE-2007-0467
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Crash Reporter may allow a local admin user to obtain
system privileges
Description: Crash Reporter uses an admin-writable system
directory to store logs of processes that have been unexpectedly
terminated. A malicious process running as an admin can cause
these logs to be written to arbitrary files as root, which could
result in the execution of commands with elevated privileges.
This issue has been described on the Month of Apple Bugs web
site (MOAB-28-01-2007). This update addresses the issue by
performing additional validation prior to writing to log files.

CUPS
CVE-ID: CVE-2007-0720
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Remote attackers may cause a denial of service during
SSL negotiation
Description: A partially-negotiated SSL connection with the CUPS
service may prevent other requests from being served until the
connection is closed. This update addresses the issue by
implementing timeouts during SSL negotiation.

Disk Images
CVE-ID: CVE-2007-0721
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Mounting a maliciously-crafted disk image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption vulnerability exists in
diskimages-helper. By enticing a user to open a maliciously-crafted
compressed disk image, an attacker could trigger this issue which
may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue by performing
additional validation of disk images.

Disk Images
CVE-ID: CVE-2007-0722
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Mounting a maliciously-crafted AppleSingleEncoding disk
image may lead to an unexpected application termination or
arbitrary code execution
Description: An integer overflow vulnerability exists in the
handler for AppleSingleEncoding disk images. By enticing a local
user to open a maliciously-crafted disk image, an attacker could
trigger the overflow which may lead to an unexpected application
termination or arbitrary code execution. This update addresses
the issue by performing additional validation of
AppleSingleEncoding disk images.

Disk Images
CVE-ID: CVE-2006-6061, CVE-2006-6062, CVE-2006-5679,
CVE-2007-0229, CVE-2007-0267, CVE-2007-0299
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Downloading a maliciously-crafted disk image may lead to
an unexpected system shutdown or arbitrary code execution
Description: Several vulnerabilities exist in the processing of
disk images that may lead to an unexpected termination of system
operations or arbitrary code execution. These have been
described on the Month of Kernel Bugs and Month of Apple Bugs
web sites (MOKB-03-11-2006, MOKB-20-11-2006, MOKB-21-11-2006,
MOAB-10-01-2007, MOAB-11-01-2007 and MOAB-12-01-2007). Since a
disk image may be automatically mounted when visiting web sites,
this allows a malicious web site to cause a denial of service.
This update addresses the issue by performing additional
validation of downloaded disk images prior to mounting them.

DS Plug-Ins
CVE-ID: CVE-2007-0723
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Unprivileged LDAP users may be able to change the local
root password
Description: An implementation flaw in DirectoryService allows
an unprivileged LDAP user to change the local root password. The
authentication mechanism in DirectoryService has been fixed to
address this issue.

Flash Player
CVE-ID: CVE-2006-5330
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Playing maliciously-crafted Flash content could allow an
HTTP request splitting attack
Description: Adobe Flash Player is updated to version 9.0.28.0
to fix a potential vulnerability that could allow HTTP request
splitting attacks. This issue is described as APSB06-18 on the
Adobe web site at http://www.adobe.com/support/security/

GNU Tar
CVE-ID: CVE-2006-0300, CVE-2006-6097
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Multiple vulnerabilities in GNU Tar, the most serious of
which is arbitrary code execution
Description: GNU Tar is updated from version 1.14 to 1.16.1.
Further information is available via the GNU web site at
http://www.gnu.org/software/tar/

HFS
CVE-ID: CVE-2007-0318
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Removing a file from a maliciously-crafted mounted
filesystem may lead to a denial of service
Description: An HFS+ filesystem in a mounted disk image can be
constructed to trigger a kernel panic when attempting to remove
a file from a mounted filesystem. This has been described on the
Month of Apple Bugs web site (MOAB-13-11-2006). This update
addresses the issue by performing additional validation of the
HFS+ filesystem.

HID Family
CVE-ID: CVE-2007-0724
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Console keyboard events are exposed to other users on
the local system
Description: Insufficient controls in the IOKit HID interface
allow any logged in user to capture console keystrokes,
including passwords and other sensitive information. This update
addresses the issue by limiting HID device events to processes
belonging to the current console user.

ImageIO
CVE-ID: CVE-2007-1071
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted GIF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow vulnerability exists in the
process of handling GIF files. By enticing a user to open a
maliciously-crafted image, an attacker can trigger the overflow
which may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of GIF files. This issue does
not affect systems prior to Mac OS X v10.4.
ImageIO
CVE-ID: CVE-2007-0733
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted RAW Image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the process of
handling RAW images. By enticing a user to open a
maliciously-crafted image, an attacker can trigger the issue
which may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of RAW images. This issue does
not affect systems prior to Mac OS X v10.4.

Kernel
CVE-ID: CVE-2006-5836
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Malicious local users may be able to cause a denial of
service
Description: Using the fpathconf() system call on certain file
types will result in a kernel panic. This has been described on
the Month of Kernel Bugs web site (MOKB-09-11-2006). This update
addresses the issue through improved handling for all kernel
defined file types.

Kernel
CVE-ID: CVE-2006-6129
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Executing a maliciously-crafted Universal Mach-O
binary may lead to an unexpected termination of system
operations or arbitrary code execution with elevated privileges
Description: An integer overflow vulnerability exists in the
loading of Universal Mach-O binaries. This could allow a
malicious local user to cause a kernel panic or to obtain system
privileges. This has been described on the Month of Kernel Bugs
web site (MOKB-26-11-2006). This update addresses the issue by
performing additional validation of Universal binaries.

Kernel
CVE-ID: CVE-2006-6173
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Executing a maliciously-crafted program may lead to a
system hang
Description: The shared_region_make_private_np() system call
allows a program to request a large allocation of kernel memory.
This could allow a malicious local user to cause a system hang.
This issue does not allow an integer overflow to occur, and it
cannot lead to arbitrary code execution. This issue has been
described on the Month of Kernel Bugs web site
(MOKB-28-11-2006). This update addresses the issue by additional
validation of the arguments passed to
shared_region_make_private_np().

MySQL Server
CVE-ID: CVE-2006-1516, CVE-2006-1517, CVE-2006-2753,
CVE-2006-3081, CVE-2006-4031, CVE-2006-4226, CVE-2006-3469
Available for: Mac OS X Server v10.4 through Mac OS X Server
v10.4.8
Impact: Multiple vulnerabilities in MySQL, the most serious of
which is arbitrary code execution
Description: MySQL is updated from version 4.1.13 to 4.1.22.
Further information is available via the MySQL web site at
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-x.html

Networking
CVE-ID: CVE-2006-6130
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Malicious local users may be able to cause an unexpected
termination of system operations or execute arbitrary code with
elevated privileges
Description: A memory corruption issue exists in the AppleTalk
protocol handler. This could allow a malicious local user to
cause a kernel panic or gain system privileges. This has been
described on the Month of Kernel Bugs web site
(MOKB-27-11-2006). This update addresses the issue by performing
additional validation of the input data structures.

Networking
CVE-ID: CVE-2007-0236
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Maliciously-crafted AppleTalk requests may lead to a
local denial of service or arbitrary code execution
Description: A heap buffer overflow vulnerability exists in the
AppleTalk protocol handler. By sending a maliciously-crafted
request, a local user can trigger the overflow which may lead to
a denial of service or arbitrary code execution. This has been
described on the Month of Apple Bugs web site (MOAB-14-01-2007).
This update addresses the issue by performing additional
validation of the input data.

OpenSSH
CVE-ID: CVE-2007-0726
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: A remote attacker can destroy established trust between
SSH hosts by causing SSH Keys to be regenerated
Description: SSH keys are created on a server when the first SSH
connection is established. An attacker connecting to the server
before SSH has finished creating the keys could force the keys
then to be recreated. This could result in a denial of service
against processes that rely on a trust relationship with the
server. Systems that already have SSH enabled and have rebooted
at least once are not vulnerable to this issue. This issue is
addressed by improving the SSH key generation process. This
issue is specific to the Apple implementation of OpenSSH.

OpenSSH
CVE-ID: CVE-2006-0225, CVE-2006-4924, CVE-2006-5051,
CVE-2006-5052
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Multiple vulnerabilities in OpenSSH, the most serious of
which is arbitrary code execution
Description: OpenSSH is updated to version 4.5. Further
information is available via the OpenSSH web site at http://
www.openssh.org/txt/release-4.5.

Printing
CVE-ID: CVE-2007-0728
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: An unprivileged local user can overwrite arbitrary files
with system privileges
Description: Insecure file operations may occur during the
initialization of a USB printer. An attacker may leverage this
issue to create or overwrite arbitrary files on the system. This
update addresses the issue by improving the printer
initialization process.

QuickDraw Manager
CVE-ID: CVE-2007-0588
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Opening a maliciously-crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow vulnerability exists in
QuickDraw's PICT image processing. By enticing a user to open a
maliciously-crafted image, an attacker can trigger the overflow
which may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of PICT files.

QuickDraw Manager
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Opening a malformed PICT image may lead to an unexpected
application termination
Description: QuickDraw Manager has been updated to address the
issue described on the Month of Apple Bugs web site
(MOAB-23-01-2007), which may lead to an unexpected application
termination. This issue does not lead to arbitrary code
execution.

servermgrd
CVE-ID: CVE-2007-0730
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Remote attackers may be able to access Server Manager
without valid credentials
Description: An issue in Server Manager's validation of
authentication credentials could allow a remote attacker to
alter the system configuration. This update addresses the issue
by additional validation of authentication credentials.

SMB File Server
CVE-ID: CVE-2007-0731
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: A user with write access to an SMB share may be able to
cause a denial of service or arbitrary code execution
Description: A stack buffer overflow vulnerability exists in an
Apple-specific Samba module. A file with an overly-long ACL
could trigger the overflow, which may lead to a denial of
service or arbitrary code execution. This update addresses the
issue by performing additional validation of ACLs. This issue
does not affect systems prior to Mac OS X v10.4.

Software Update
CVE-ID: CVE-2007-0463
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Opening a maliciously-crafted Software Update Catalog
file may lead to an unexpected application termination or
arbitrary code execution
Description: A format string vulnerability exists in the
Software Update application. By enticing a user to download and
open a Software Update Catalog file, an attacker can trigger the
vulnerability which may lead to an unexpected application
termination or arbitrary code execution. This has been described
on the Month of Apple Bugs web site (MOAB-24-01-2007). This
update addresses the issue by removing document bindings for
Software Update Catalogs. This issue does not affect systems
prior to Mac OS X v10.4.

sudo
CVE-ID: CVE-2005-2959
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: A local user with sudo access to a bash script can run
arbitrary commands with elevated privileges
Description: A user-modified sudo configuration could allow
environment variables to be passed through to the program
running as a privileged user. If sudo is configured to allow an
otherwise unprivileged user to execute a given bash script with
elevated privileges, the user may be able to execute arbitrary
code with elevated privileges. Systems with the default sudo
configuration are not vulnerable to this issue. This issue has
been addressed by updating sudo to 1.6.8p12. Further information
is available via the sudo web site at
http://www.sudo.ws/sudo/current.html

WebLog
CVE-ID: CVE-2006-4829
Available for: Mac OS X Server v10.4 through Mac OS X Server
v10.4.8
Impact: A remote attacker can conduct cross-site scripting
attacks through Blojsom
Description: A cross-site scripting vulnerability exists in
Blojsom. This allows remote attackers to inject JavaScript into
blog content that will execute in the domain of the Blojsom
server. This update addresses the issue by performing additional
validation of the user input. This issue does not affect systems
prior to Mac OS X v10.4.

References

Additional information regarding these vulnerabilities is available at

• http://docs.info.apple.com/article.html?artnum=61798

On March 3, 2007, Apple released Security Update APPLE-SA-2007-03-05 to correct multiple vulnerabilities for QuickTime under Macintosh OS X v10.3.9 and later, and Windows Vista/XP/2000. This latest update, solely for QuickTime, adds functionality and fixes eight (8) QuickTime security vulnerabilities. Unless noted, all these vulnerabilities can lead to arbitrary crash or arbitrary code execution if left unpatched. All these vulnerabilities are exploitable when a user is initially enticed to open a file from QuickTime ( but not initially exploitable via TCP/UDP ports). It is advised that all campus systems with QuickTime update to QuickTime version 7.1.5 if they have not done so.

What to Do

QuickTime 7.1.5 may be obtained from the Software Update
application, or from the Download area in the QuickTime site
http://www.apple.com/quicktime/download/

For Mac OS X v10.3.9 or later
The download file is named: "QuickTime715.dmg"
Its SHA-1 digest is: 68e621a81560610a37bbf8be5695c751c006627d

QuickTime 7.1.5 for Windows Vista/XP/2000
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 138d028e7b7c77b8938ae65a14369587a7752a85

QuickTime 7.1.5 with iTunes for Windows Vista/XP/2000
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 0a32a8c929cd8f893793a5c260d437726728fe0d

Technical Details

The following is a list of the vulnerabilities and their corresponding fixes:

QuickTime
CVE-ID: CVE-2007-0711
Available for: Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted 3GP file may lead to an
application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling
of 3GP video files. By enticing a user to open a malicious
movie, an attacker can trigger the overflow, which may lead
to an application crash or arbitrary code execution. This update
addresses the issue by performing additional validation of 3GP
video files. This issue does not affect Mac OS X.

QuickTime
CVE-ID: CVE-2007-0712
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted MIDI file may lead to an
application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's
handling of MIDI files. By enticing a user to open a malicious
MIDI file, an attacker can trigger the overflow, which may lead
to an application crash or arbitrary code execution. This update
addresses the issue by performing additional validation of MIDI
files.

QuickTime
CVE-ID: CVE-2007-0713
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted Quicktime movie file may
lead to an application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's
handling of QuickTime movie files. By enticing a user to access
a maliciously-crafted movie, an attacker can trigger the
overflow, which may lead to an application crash or arbitrary
code execution. This update addresses the issue by performing
additional validation of QuickTime movies.

QuickTime
CVE-ID: CVE-2007-0714
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted Quicktime movie file may
lead to an application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling
of UDTA atoms in movie files. By enticing a user to access a
maliciously-crafted movie, an attacker can trigger the overflow,
which may lead to an application crash or arbitrary code
execution. This update addresses the issue by performing
additional validation of QuickTime movies.

QuickTime
CVE-ID: CVE-2007-0715
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted PICT file may lead to an
application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's
handling of PICT files. By enticing a user to open a malicious
PICT image file an attacker can trigger the overflow, which may
lead to arbitrary code execution. This update addresses the
issue by performing additional validation of PICT files.

QuickTime
CVE-ID: CVE-2007-0716
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an
application crash or arbitrary code execution
Description: A stack buffer overflow exists in QuickTime's
handling of QTIF files. By enticing a user to access a
maliciously-crafted QTIF file, an attacker can trigger the
overflow, which may lead to an application crash or arbitrary
code execution. This update addresses the issue by performing
additional validation of QTIF files.

QuickTime
CVE-ID: CVE-2007-0717
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an
application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling
of QTIF files. By enticing a user to access a maliciously-crafted
QTIF file, an attacker can trigger the overflow, which may lead to
an application crash or arbitrary code execution. This update
addresses the issue by performing additional validation of QTIF
files.

QuickTime
CVE-ID: CVE-2007-0718
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an
application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's
handling of QTIF files. By enticing a user to access a
maliciously-crafted QTIF file, an attacker can trigger the
overflow, which may lead to an application crash or arbitrary
code execution. This update addresses the issue by performing
additional validation of QTIF files.

References

Additional information regarding these vulnerabilities is available at

• http://docs.info.apple.com/article.html?artnum=61798

On February 15, 2007, Apple released Security Update 2007-002 to correct multiple vulnerabilities for the Macintosh OS and corresponding component/applications. This combined security update is designed to fix four (4) security vulnerabilities in Finder, ichat, and UserNotification. Unless noted, all these vulnerabilities can lead to arbitrary crash, arbitrary code execution, or elevation of system privileges if left unpatched.

What to Do

Security Update 2007-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.8 (PowerPC)
The download file is named: "SecUpd2007-002Ti.dmg"
Its SHA-1 digest is: 79da4e0f61288277f9896e761903abf748d2dc21

For Mac OS X v10.4.8 (Intel)
The download file is named: "SecUpd2007-002Univ.dmg"
Its SHA-1 digest is: 9a4b97853ac05ff407a8b8fe0906d916e219648b

For Mac OS X v10.3.9
The download file is named: "SecUpd2007-002Pan.dmg"
Its SHA-1 digest is: 81199248bf7218d8788663153131ab51d31320a1

Technical Details

The following is a list of the vulnerabilities and their corresponding fixes:

Finder
CVE-ID: CVE-2007-0197
Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Mounting a maliciously-crafted disk image may lead to an application crash or arbitrary code execution.
Description: A buffer overflow exists in Finder's handling of volume names. By enticing a user to mount a malicious disk image, an attacker could trigger this issue, which may lead to an application crash or arbitrary code execution. A proof of concept for this issue has been published on the Month of Apple Bugs web site (MOAB-09-01-2007). This update addresses the issue by performing additional validation of disk images. This issue does not affect systems prior to Mac OS X v10.4.

iChat
CVE-ID: CVE-2007-0614, CVE-2007-0710
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Attackers on the local network may be able to cause iChat to crash.
Description: A null pointer dereference in iChat's Bonjour message handling could allow a local network attacker to cause an application crash. A proof of concept for this issue in Mac OS X v10.4 has been published on the Month of Apple Bugs web site (MOAB-29-01-2007). This update addresses the issues by performing additional validation of Bonjour messages.

iChat
CVE-ID: CVE-2007-0021
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Visiting malicious websites may lead to an application crash or arbitrary code execution.
Description: A format string vulnerability exists in the iChat AIM URL handler. By enticing a user to access a maliciously-crafted AIM URL, an attacker can trigger the overflow, which may lead to anapplication crash or arbitrary code execution. A proof of concept for this issue has been published on the Month of Apple Bugs web site (MOAB-20-01-2007). This update addresses the issue by performing additional validation of AIM URLs.

UserNotification
CVE-ID: CVE-2007-0023
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Malicious local users may be able to obtain system privileges.
Description: The UserNotificationCenter process runs with elevated privileges in the context of a local user. This may allow a malicious local user to overwrite or modify system files. A program that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-22-01-2007). This update addresses the issue by having UserNotificationCenter drop its group privileges immediately after launching.

References

Additional information regarding these vulnerabilities is available at

• http://docs.info.apple.com/article.html?artnum=61798

On February 12, 2007 Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. The Microsoft bulletin lists twelve (12) security vulnerabilities, with six (6) listed as critical and six(6) listed as important. All these patches should be applied. The six critical ones are patches for HTML Help ActiveX, MDAC Active X, Malware protection, MS Word, MS office, and IE Internet Explorer which all lead to remote execution when a system is left unpatched. The affected operating system platforms are:

* Windows Server 2003
* Windows XP
* Windows 2000 SP4

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. With the exception of the critical MS Word, MS Office, and malware patches, the rest of this month's patches will be delivered via BigFix. Local Big Fix admins are to apply the MS Office, MS Word, and malware patches manually. Details are in the Technical Details section of this post.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all of the patches of this bulletin with the exception of the MS Word, MS Office, and malware patches. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Details

It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, and will all be delivered via BigFix:

Critical (6):

*Microsoft Security Bulletin MS07-008
Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843)
his update resolves a vulnerability in HTML Help that could allow remote code execution.

HTML Help ActiveX Control Vulnerability - CVE-2007-0214
A remote code execution vulnerability exists in the HTML Help ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited that page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

*Microsoft Security Bulletin MS07-009
Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution(927779)
This update resolves a vulnerability in Microsoft Data Access Components that could allow remote code execution.

Microsoft Windows MDAC ActiveX Vulnerability - CVE-2006-5559:
A remote code execution vulnerability exists in the ADODB.Connection ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft Security Bulletin MS07-010
Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)
This update resolves a vulnerability in the Microsoft Malware Protection Engine that could allow remote code execution.

Microsoft Malware Protection Engine Vulnerability - CVE-2006-5270:
A remote code execution vulnerability exists in the Microsoft Malware Protection Engine because of the way that it parses Portable Document Format (PDF) files. An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.

Microsoft Security Bulletin MS07-014
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434)
This update resolves vulnerabilities in Microsoft Word that could allow remote code execution.

Word Malformed String Vulnerability - CVE-2006-5994:
A remote code execution vulnerability exists in the way Microsoft Word handles Word files with a specially crafted string. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.

Word Malformed Data Structures Vulnerability - CVE-2006-6456:
A remote code execution vulnerability exists in the way Microsoft Word handles Word files with a specially crafted data structure. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution. Viewing or previewing a malformed e-mail message in an affected version of Outlook could not lead to exploitation of this vulnerability.

Word Count Vulnerability – CVE-2006-6561:
A remote code execution vulnerability exists in Microsoft Word. An attacker could exploit this vulnerability when Word parses a file and processes an unchecked count. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution. Viewing or previewing a malformed e-mail message in an affected version of Outlook could not lead to exploitation of this vulnerability.

Word Macro Vulnerability – CVE-2007-0208:
A remote code execution vulnerability exists in Microsoft Word. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Word Malformed Drawing Object Vulnerability - CVE-2007-0209:
A remote code execution vulnerability exists in Microsoft Word. An attacker could exploit this vulnerability when Word parses a file and processes a malformed drawing object. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.

Word Malformed Function Vulnerability - CVE-2007-0515:
A remote code execution vulnerability exists in Microsoft Word. An attacker could exploit this vulnerability when Word parses a file and processes a malformed function. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious web site. Viewing or previewing a malformed e-mail message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.

Microsoft Security Bulletin MS07-015
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (932554)
This update resolves vulnerabilities in Microsoft Office that could allow remote code execution.

PowerPoint Malformed Record Memory Corruption Vulnerability - CVE-2006-3877:
A remote code execution vulnerability exists in PowerPoint and could be exploited when PowerPoint opened a specially crafted file. Such a file might be included in an e-mail attachment or hosted on a malicious web site. An attacker could exploit the vulnerability by constructing a specially crafted PowerPoint file that could allow remote code execution.

Excel Malformed Record Vulnerability - CVE-2007-0671:
A remote code execution vulnerability exists in Excel and could be exploited when Excel opened a specially crafted file. Such a file might be included in an e-mail attachment or hosted on a malicious web site. An attacker could exploit the vulnerability by constructing a specially crafted Excel file that could allow remote code execution.

*Microsoft Security Bulletin MS07-016
Cumulative Security Update for Internet Explorer (928090)
This update resolves vulnerabilities in Internet Explorer that could allow remote code execution.

COM Object Instantiation Memory Corruption Vulnerability - CVE-2006-4697:
A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

COM Object Instantiation Memory Corruption Vulnerability - CVE-2007-0219:
A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

FTP Server Response Parsing Memory Corruption Vulnerability - CVE-2007-0217:
A remote code execution vulnerability exists in the way Internet Explorer interprets certain responses from FTP servers. An attacker could exploit the vulnerability by sending specially crafted FTP responses in an FTP session to the FTP client included in Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Important (6)

*Microsoft Security Bulletin MS07-005
Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723)
This update resolves a vulnerability in Step-by-Step Interactive Training that could allow remote code execution. User interaction is required to exploit this vulnerability.

Interactive Training Vulnerability - CVE-2006-3448:
A remote code execution vulnerability exists in Step-by-Step Interactive Training because of the way that Step-by-Step Interactive Training handles bookmark link files. An attacker could exploit the vulnerability by constructing a specially crafted bookmark link file that could potentially allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.

*Microsoft Security Bulletin MS07-006
Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255)
This update resolves a vulnerability in Windows Shell that could allow elevation of privilege.

Windows Shell Hardware Detection Vulnerability - CVE-2007-0211:
A privilege elevation vulnerability exists in Windows Shell in the way that the operating system performs detection and registration of new hardware. This vulnerability could allow an authenticated user to take complete control of the system.

*Microsoft Security Bulletin MS07-007
Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege (927802)
This update resolves a vulnerability in the Windows Image Acquisition Service that could allow elevation of privilege.

Windows Image Acquisition Vulnerability - CVE-2007-0210:
A privilege elevation vulnerability exists in Windows XP Service Pack 2 in the way that the Window Image Acquisition Service starts applications. This vulnerability could allow a logged on user to take complete control of the system.

*Microsoft Security Bulletin MS07-011
Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436)
This update resolves a vulnerability in Microsoft OLE Dialog that could allow remote code execution. User interaction is required to exploit this vulnerability.

OLE Dialog Memory Corruption Vulnerability - CVE-2007-0026:
A remote code execution vulnerability exists in the OLE Dialog component provided with Microsoft Windows. An attacker could attempt to exploit this vulnerability when a user interacts with a malformed embedded OLE object within a Rich Text Format (RTF) file.

*Microsoft Security Bulletin MS07-012
Vulnerability in Microsoft MFC Could Allow Remote Code Execution (924667)
This update resolves a vulnerability in Microsoft MFC that could allow remote code execution. User interaction is required to exploit this vulnerability.

MFC Memory Corruption Vulnerability - CVE-2007-0025:
A remote code execution vulnerability exists in the MFC component provided with Microsoft Windows and Visual Studio. An attacker could exploit this vulnerability when a user interacts with a malformed embedded OLE object within a Rich Text Format (RTF) file.

*Microsoft Security Bulletin MS07-013
Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118)
This update resolves a vulnerability in Microsoft RichEdit that could allow remote code execution. User interaction is required to exploit this vulnerability.

Microsoft RichEdit Vulnerability - CVE-2006-1311:
A remote code execution vulnerability exists in the RichEdit components provided with Microsoft Windows and Microsoft Office. An attacker could exploit this vulnerability when a user interacts with a malformed embedded OLE object within a Rich Text Format (RTF) file.

Affected Platforms and Applications:

.Windows Server 2003 Service Pack 1
.Windows Server 2003
.Windows Server 2003 with SP1 for Itanium-based Systems
.Windows Server 2003 for Itanium-based Systems
.Windows Server 2003 x64 Edition
.Windows XP Service Pack 2
.Windows XP Professional x64 Edition
.Windows 2000 Service Pack 4

Office 2000 Service Pack 3
Office 2000 Multilanguage Packs
Project 2000 Service Release 1
Word 2000
Office XP Service Pack 3
Project 2002 Service Pack 1
Visio 2002 Service Pack 2
Word 2002
Office 2003 Service Pack 2
Word 2003
Word 2003 Viewer
Learning Essentials 1.0
Learning Essentials 1.1
Learning Essentials 1.5
Global Input Method Editor for Office 2000 (Japanese)
Microsoft Office 2004 for Mac
Word 2004 for Mac
Microsoft Works Suites 2004, 2005, and 2006

Visual Studio .NET 2002
Visual Studio .NET 2002 Service Pack 1
Visual Studio .NET 2003
Visual Studio .NET 2003 Service Pack 1

Microsoft Data Access Components 2.5 Service Pack 3 on Windows 2000 SP4
Microsoft Data Access Components 2.7 Service Pack 1 when installed on Windows 2000 SP4
Microsoft Data Access Components 2.8 when installed on Windows 2000 SP4
Microsoft Data Access Components 2.8 Service Pack 1 when installed on Windows 2000 SP4
Microsoft Data Access Components 2.8 Service Pack 1 on Windows XP SP2
Microsoft Data Access Components 2.8 on Windows Server 2003
Microsoft Data Access Components 2.8 on Windows Server 2003 on Itanium-based Systems
Microsoft Antigen for Exchange 9.x
Microsoft Antigen for SMTP Gateways 9.x
Forefront Security for Exchange Server
Forefront Security for SharePoint
Windows Defender
Windows Defender x64 Edition
Windows Live OneCare
Step-by-Step Interactive Training when installed on Windows 2000 SP4
Step-by-Step Interactive Training when installed on Windows XP SP2
Step-by-Step Interactive Training when installed on Windows XP Professional x64 Edition
Step-by-Step Interactive Training when installed on Windows Server 2003
Step-by-Step Interactive Training when installed on Windows Server 2003 SP1
Step-by-Step Interactive Training when installed on Windows Server 2003 for Itanium-based Systems
Step-by-Step Interactive Training when installed on Windows Server 2003 with SP1 for Itanium-based Systems
Step-by-Step Interactive Training when installed on Windows Server 2003 x64 Edition

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms07-feb.mspx

A vulnerability in the Sun Solaris version 10 or 11 telnet daemon (in.telnetd) could allow a remote attacker to log on to the system with elevated privileges. The telnet daemon does not properly sanitize the USER Environment variable before passing it to the login process. By supplying a specially crafted USER Environment variable over telnet, a remote attacker may be able to bypass authentication to gain access to the system with elevated privileges. This was reported on February 12, 2007 and public exploit code is available.

Note: An attacker must have knowledge of a user account other than root to exploit this vulnerability successfully. Additionally, in default Solaris configurations, this vulnerability cannot be used to gain root level access.

Note that Sun Solaris 8 and 9 are not affected by this issue.

What to Do

Until Sun provides a security update, or more information becomes available, Stanford recommends the following actions to help mitigate the security risks:

• Disable Telnet daemon.
• Restrict access to port 23/tcp to trusted hosts only.

SSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet.

Technical Details

The telnet daemon passes switches directly to the login process which looks for a switch that allows root to login to any account without a password. If your telnet daemon is running as root in Solaris 10 or 11, it allows unauthenticated remote logins.

Limit your exposure if you must run telnet on your solaris system. It is recommend that you use firewall(s) to limit what IP can connect to your telnet services. Other ways to mitigate this issue until a patch is available:

Change
/etc/default/login add CONSOLE=/dev/console
to limit where root can login from. This only prevents direct access to the root account other accounts can still be compromised.

Another mitigation that works in most cases is this:
inetadm -m svc:/network/telnet:default exec="/usr/sbin/in.telnetd -a user"
Note: Reports have surfaced of people locking themselves out with this so use at your own risk.

References

The above information was derived from: (US-CERT Note VU#881872)
http://www.kb.cert.org/vuls/id/881872