|
Mac OS X Security Update Fixes Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA10723
|
|
|
Release Date:
|
2004-01-27
|
|
Last Update:
|
2004-01-29
|
|
Popularity:
|
15,843 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Manipulation of data
Privilege escalation
DoS
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| OS: | Apple Macintosh OS X
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2003-0542
CVE-2003-0789
CVE-2004-0085
CVE-2004-0086
CVE-2004-0087
CVE-2004-0088
CVE-2004-0089
CVE-2004-0090
CVE-2004-0092
|
|
Description:
Apple has issued a security update for Mac OS X, which fixes some older, known vulnerabilities along with some new unspecified issues.
Boundary errors in the Apache "mod_alias" and "mod_rewrite" modules can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Furthermore, the AF_UNIX socket used by "mod_cgid" to communicate with the cgid daemon or CGI script is not handled properly.
For more information:
SA10096
An unspecified vulnerability in the SystemConfiguration subsystem has also been fixed. This could reportedly be exploited by remote non-admin users to change network settings and make configuration changes to configd.
A boundary error in TruBlueEnvironment can be exploited by malicious, local users to gain "root" privileges. The problem is that values of environment variables are copied without performing any bounds checking, which may result in a buffer overflow.
Unspecified vulnerabilities in Apple's mail application, the Safari web browser, and in Windows File Sharing have also been fixed.
Solution:
Apply Security Update 2004-01-26.
Mac OS X 10.3.2 Client:
http://www.info.apple.com/kbnum/n120301
Mac OS X 10.3.2 Server:
http://www.info.apple.com/kbnum/n120300
Mac OS X 10.2.8 Client:
http://www.info.apple.com/kbnum/n120302
Mac OS X 10.2.8 Server:
http://www.info.apple.com/kbnum/n120304
Mac OS X 10.1.5 Client and Server:
http://www.info.apple.com/kbnum/n120303
Provided and/or discovered by:
Discovery of some of the new vulnearbilities have been credited to:
Dave G. of @stake
Jim Roepcke
Changelog:
2004-01-29: Added information about environment variable vulnerability.
Original Advisory:
TruBlueEnvironment Buffer Overflow:
http://www.atstake.com/research/advisories/2004/a012704-1.txt
Other References:
SA10096:
http://secunia.com/advisories/10096/
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
