Security Update 2007-007
Security Update 2007-07 fixes 45 security vulnerabilities in Mac OS X. All Mac OS X users should install this as a lot of common packages are affected. Unpatched machines are exposed to arbitrary code execution execution and denial of service.
The fixes;
bzip2 (CVE-ID: CVE-2005-0758)
Impact: Running bzgrep on a file with a maliciously crafted name may lead to arbitrary code execution
CFNetwork (CVE-ID: CVE-2007-2403)
Impact: Clicking on an FTP URI may cause arbitrary FTP commands to be issued
CFNetwork (CVE-ID: CVE-2007-2404)
Impact: Applications using CFNetwork to make HTTP requests may be vulnerable to a response splitting attack
CoreAudio (CVE-ID: CVE-2007-3745)
Impact: Visiting a malicious website may lead to arbitrary code execution
CoreAudio (CVE-ID: CVE-2007-3746)
Impact: Visiting a malicious website may lead to arbitrary code execution
CoreAudio (CVE-ID: CVE-2007-3747)
Impact: Visiting a malicious website may lead to arbitrary code execution
cscope (CVE-ID: CVE-2004-0996, CVE-2004-2541)
Impact: Multiple vulnerabilities in Cscope
gnuzip (CVE-ID: CVE-2005-0758)
Impact: Running zgrep on a file with a maliciously crafted name may lead to arbitrary code execution
iChat (CVE-ID: CVE-2007-3748)
Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution
Kerberos (CVE-ID: CVE-2007-2442, CVE-2007-2443, CVE-2007-2798)
Impact: Multiple vulnerabilities in the MIT krb5 Kerberos administration daemon
mDNSResponder (CVE-ID: CVE-2007-3744)
Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution
PDFKit (CVE-ID: CVE-2007-2405)
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
PHP (CVE-ID: CVE-2007-1001, CVE-2007-1287, CVE-2007-1460, CVE-2007-1461, CVE-2007-1484, CVE-2007-1521, CVE-2007-1583, CVE-2007-1711, CVE-2007-1717)
Impact: Multiple vulnerabilities in PHP 4.4.4
Quartz Composer (CVE-ID: CVE-2007-2406)
Impact: Viewing a maliciously crafted Quartz Composer file may lead to an unexpected application termination or arbitrary code execution
Samba (CVE-ID: CVE-2007-2446)
Impact: When Windows file sharing is enabled, an unauthenticated remote attacker may cause an unexpected application termination or arbitrary code execution
Samba (CVE-ID: CVE-2007-2447)
Impact: When Windows file sharing is enabled, an unauthenticated remote attacker may be able to execute arbitrary shell commands
Samba (CVE-ID: CVE-2007-2407)
Impact: When Windows file sharing is enabled, users may bypass file system quotas
SquirrelMail (CVE-ID: CVE-2005-3128, CVE-2006-2842, CVE-2006-3174, CVE-2006-4019, CVE-2006-6142, CVE-2007-1262, CVE-2007-2589)
Impact: Multiple vulnerabilities in SquirrelMail 1.4.5
Tomcat (CVE-ID: CVE-2005-2090, CVE-2007-0450, CVE-2007-1358, CVE-2007-1860)
Impact: Multiple vulnerabilities in Tomcat
WebCore (CVE-ID: CVE-2007-2408)
Impact: Visiting a malicious website may allow Java applets to load and run even when Java is disabled
WebCore (CVE-ID: CVE-2007-0478)
Impact: Content may be injected into HTML comments leading to cross-site scripting attacks
WebCore (CVE-ID: CVE-2007-2409)
Impact: Visiting a malicious website may lead to the disclosure of URL contents
WebCore (CVE-ID: CVE-2007-2410)
Impact: Visiting a malicious website may allow cross-site scripting
WebKit (CVE-ID: CVE-2007-3742)
Impact: Look-alike characters in a URL could be used to masquerade a website
WebKit (CVE-ID: CVE-2007-3944)
Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution
Where do you get it?
Security Update 2007-007 can be downloaded and installed via Software Update preferences, or from Apple Downloads.
[1] Security Update 2007-007 [Apple]
0 Responses to “Apple Security Update 2007-007”