Safari Security Claims Ignite Controversy [8 bugs found in first day alone]

PCWorld ^ | 6/12/07 | Gregg Keizer

[PajamaTruthMafia]

Safari Security Claims Ignite Controversy Security researchers have already found eight bugs in the Windows version of Safari Apple released on Monday. They're blaming Apple's "hostile attitude towards security researchers" for the problems.

Just hours after Apple Inc. released a Windows version of Safari on Monday, security researchers had uncovered more than half a dozen vulnerabilities in the browser beta, including at least three that could let attackers grab complete control of the PC.

PC World's Erik Larkin isn't surprised that Safari would become a security risk. But Apple's claims about the new browser's security have touched a nerve with security researchers: Two of the researchers blamed Apple's "false claims" about security and what they called its "hostile attitude" toward bug finders for the rush to dig up flaws.

First off the mark was David Maynor of Errata Security, who posted notice of a bug about two hours after Apple made Safari 3 available for Windows. By the end of the day, Maynor had racked up six bugs. Four could be exploited to crash the browser and/or PC in a denial of service; the other two, Maynor claimed, were remote execution vulnerabilities.

Maynor, who clashed with Apple over a demonstration of a wireless hack on a MacBook at last summer's Black Hat security conference, didn't hesitate to take a shot at the Cupertino, Calif. company. "I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."

Shortly after Maynor posted his first bugs, Aviv Raff, an Israeli security researcher noted for his contributions to last July's "Month of Browser Bugs" project, announced he had found a flaw, too. "I found it using a fuzzer tool, Hamachi, that was developed by HD Moore and I," Raff said in an instant message interview. "This is a memory corruption vulnerability, which is potentially exploitable for remote code execution."

Danish researcher Thor Larholm wrapped up Safari's opening day with the most damaging disclosure of all: a remote execution vulnerability accompanied by proof-of-concept exploit code. That code -- Windows Safari users can click here for a demo -- could be used to hijack the PC, said Larholm, who plucked the vulnerability from the browser and built the exploit in just two hours.

He laid part of the blame on Apple's inexperience in writing code for Windows. "On OS X, Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on Windows, namely intimate operating system knowledge," said Larholm. "The integration with the original operating system is tightly defined, but [that] knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.

"[For example] you can still find references to the OS X proprietary URL protocols "open-help-anchor:" and "network-diagnostics:" inside the resource files for the Windows release [of Safari]."

Bugs are not unknown to Apple. Other applications available to Windows users, the QuickTime media player and the iTunes music store software, have been patched several times. Four fixes for QuickTime, two last month alone, have been issued by Apple this year. In March, Apple updated iTunes so it would work more smoothly with Windows Vista.

Even so, the number of vulnerabilities discovered in Safari's debut day was stunning. Aviv Raff had an explanation. "My guess is that it's because of Apple's issues with security researchers and the false claims that their products are far more secure than others," he said.

Larholm agreed. "Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser."

Maynor, who until last summer worked as a senior researcher for SecureWorks Inc., did not need to spell out his position. After he and colleague "Johnny Cache" demoed a MacBook hack prior to Black Hat, both Apple and Mac bloggers criticized the pair for either faking the hack or obfuscating its true nature. Maynor and Cache stood behind their claim. Several months later, Apple quietly patched the wireless drivers the researchers had used to break into the Mac machine.

On Monday, Maynor spelled out his policy regarding Apple vulnerabilities. "If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor."

Raff summed it up on the posting to his blog. "On the download page [for Safari] Apple writes 'Apple engineers designed Safari to be secure from day one.' I guess we can now call it 'Day zero.'"

Apple officials did not respond to a request for comment.

[Bubba Ho-Tep]

If someone gets their rocks off writing malicious code, they are going to write it for the most popular platform so it spreads as far and as quickly as it can

As I believe swordmaker pointed out on another thread, someone wrote a virus that infects iPods rigged to run Linux, of which there probably aren't enough to break five figures. The "obscurity" excuse just doesn't work when there are viruses for far smaller user bases.

[Oystir]

I have access to the apple version of safari and I tried the windows version the other day. I don’t find it all that intuitive and the claim that it is faster than explorer seems dubious - on some pages it is very, very slow.

[rightwingextremist1776]

As I believe swordmaker pointed out on another thread, someone wrote a virus that infects iPods rigged to run Linux, of which there probably aren't enough to break five figures. The "obscurity" excuse just doesn't work when there are viruses for far smaller user bases.

Well, I guess it depends on the purpose the author of the virus had in mind...doesn't it? A little known thing that people fail to keep in mind when discussing things such as this. So what you are saying is because it hasn't been done means it can't be done...... HMMMM?

[Star Traveler]

As far as putting faith in the platform, it deserves that kind of faith, just from its actual and real life performance over the last several years.

Now, you’re saying that it’s simply because of its obscurity that nothing is happening (i.e., compromising the OS for control or a virus). Well, as I said, there are many different kinds of arguments out there as to the real reason why these compromises aren’t happening. You’ve just taken one particular reason as the one you want to adhere to. Others take it to be that the OS is more secure — as the reason.

So, as I said, one can go around and around about that — but it still remains that the Mac OS is not being compromised in real life situations (where people use their computers everyday). And that’s pretty much all people really care about.

And, furthermore, there is such a thing as something more secure and less secure. Now, let’s say that there can be a major compromise of any particular OS, if someone were to really, really try. Even if that were the case, there would still be the situation in which one OS is more secure than another OS, no matter if it’s true that someone could really compromise a system if they had enough resources and enough reasons to do so.

It is an argument, with many, that the Mac OS is that “more secure OS” no matter if it could be compromised if you pitted the CIA and the KGB at it, with unlimited resources and enough reasons to do so — or, on the other hand, if it simply is generating no interest (from anyone) to actively compromise it.

So, that is the opinion of many — that it is more secure. But, even so, the last word in the matter is that it is “secure in practice” (no matter what the reason), because, basically, no compromises are happening from viruses or from hackers controlling the Mac OS.

[rightwingextremist1776]

We will just have to agree to disagree, with one exception;
You are correct in that the end result is there are less security violations on Mac platforms the the others.
I will leave you with one last thought;

How many Mac platforms run data bases that store credit card info, run secure web sites that transact sensitive information, make money transfers, centrally store secrete information, fall victim to script kiddies, become bots in a network, or become magnets for fast spreading viruses, worms, or Trojans? Now why do you suppose the other, more wide spread platforms do? Now you tell me why when Macs are the superior platform, why all the dummies are still using those other platforms?

Why rob a church when the bank is where the money is stored?

[Star Traveler]

The only instance I ever ran into from Safari making a connection from an earlier session was from one particular RSS feed. It basically did not happen with all the other RSS feeds. I have no idea what the deal was with that one particular feed. But, all that happened was a connection through port 80, which is the normal port for Safari to use. I mean, it’s sort of a non-starter issue, really. Not too much of anything except a curiosity (at least with me it was only that...). I wouldn’t consider that to be a problem.

Besides that, I can block any cookie that I want, if I choose to do so and I can turn off all cookies of I want to. So, it’s a matter of setting something up, if I’m really concerned about that. No other instance ever occured of Safari re-establishing anything from an earlier session.

As far as the ports that are normal for Safari to access, they would be port 80 and port 443. I have that currently set up to allow all the time for all IP addresses.

Now, if I were concerned about any other ports, I could simply have all other ports permanently blocked and never allow anything outside of those ports, but I don’t do that. I have it set up to allow and disallow, per session, as I determine — when the request comes up. I try to see what it is doing.

If I didn’t want to do that, it would be easy to disallow all others permanently and never have to think about it again. I could allow Safari to always connect on port 80 and 443, while disallowing all others — and I could leave it that way permanently. However, it appears that other web sites do want you to connect on other ports to various IP addresses. So, it appears to be a normal functionality of a web browser to do that — not something that is necessarily an adverse or illegal type of connection. All I’m saying is that if you’re that concerned about that — for any named web browser (and they’ll all do that) — then you can block the ports you don’t want used and do it for all IP addresses. Otherwise, you can let Safari work just like all the other web browsers work, accessing other IP addresses with other port numbers. I guess it’s just up to you as to how far you want to go with this thing. I’m just saying you can block it all or not. It’s just not a Safari thing that you’re referring to — it’s something that goes on with all web browsers.

[Star Traveler]

Well, in answer to your question about all the other machines out there on other platforms (other than Mac OS X), there are reasons why they are used — that has nothing to do with their greater security or less secure status (depending on which way you view the “security” of those systems).

There are programs developed on certain platforms. There is a business-type “ecosystem” that grows up around a platform. It doesn’t matter if that platform is less secure than another. You just hire more people to deal with it, and you use the tools and programs that have developed in that ecosystem.

Apple Computer hasn’t pursued the business ecosystem. Now, while it may be more secure an operating system — if — a business ecosystem isn’t built up around it (which does take some time to do, once you’ve decided you’re going to pursue that kind of strategy), then one is not going to have that operating system spread in all these areas that you’re talking about.

The simple fact of the matter is that Apple Computer has not made that a part of its strategy for selling computers (and its operating system). They’re not pursuing that.

The benefit for the consumer is that they’ve got a better and more secure operating system than many of these very businesses that you’re talking about. Apple is not there in those business environments because it’s never bothered to go after them. It’s going for the consumer and certain other specialty computing environments.

If Apple ever decides to go after those kinds of businesses, then things might be different. But, I really don’t know if Apple will ever decide to go for those kinds of businesses. It’s making so much money right now doing what it’s doing with a very safe and secure system, which benefits the consumer, that it may decide it’s not worth it to pursue these other kinds of businesses.

But, I can’t know what Apple will decide to pursue in the future. That remains to be seen. In the meantime, the consumer can be satisfied that it has a safer operating system than many of these other types of businesses that you mention.

[GovernmentIsTheProblem]

” Got some examples of that . . . . so we can determine WHO is blowing the hot air?”

Dave Maynor who is in this article and the apple wifi driver vulns they claimed not to exist... and then patched.

[GovernmentIsTheProblem]

“I hate to be the one to break this to you, Mr. “Security Professional”, but there is a big difference between a vunerability and the ability to exploit said vunerability. So far, even though vulnerabilities have been found (hey, it’s an OS created by human engineers), no effective exploit has been found to take advantage of these breif vulnerabilites. In other words, no attack has been able to be executed for real.”

Actually there are a number of Mac exploits in the Metasploit project framework. :)

http://framework.metasploit.com/exploits/view/?refname=osx:afp:loginext
AppleFileServer LoginExt PathName Overflow

This module exploits a stack overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit uses a stack-based return address that will only work under optimal conditions.

This module (revision 4498) was provided by hdm, under the Metasploit Framework License.

External references:

* http://www.securityfocus.com/bid/10271
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0430
* http://www.osvdb.org/5762
* http://milw0rm.com/metasploit/2

Targets:

* Mac OS X 10.3.3

http://framework.metasploit.com/exploits/view/?refname=osx:arkeia:type77
Arkeia Backup Client Type 77 Overflow (Mac OS X)

This module exploits a stack overflow in the Arkeia backup client for the Mac OS X platform. This vulnerability affects all versions up to and including 5.3.3 and has been tested with Arkeia 5.3.1 on Mac OS X 10.3.5.

This module (revision 4498) was provided by hdm, under the Metasploit Framework License.

External references:

* http://www.osvdb.org/14011
* http://www.securityfocus.com/bid/12594
* http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html
* http://milw0rm.com/metasploit/6

Targets:

* Arkeia 5.3.1 Stack Return (boot)

http://framework.metasploit.com/exploits/view/?refname=osx:samba:trans2open
Samba trans2open Overflow (Mac OS X)

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems.

This module (revision 4498) was provided by hdm, under the Metasploit Framework License.

External references:

* http://www.securityfocus.com/bid/7294
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0201
* http://www.osvdb.org/4469
* http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
* http://milw0rm.com/metasploit/54

Targets:

* Stack Brute Force

Then there’s Immunity CANVAS
http://immunitysec.com/news-latest.shtml
Miami Beach, FL - (June 4, 2007) - Immunity brings you a flurry of exciting new exploits this June, including a reliable remote root exploit for OS X on both Intel and PPC platforms.

[Yossarian]

This is just too easy:

How many Mac platforms run data bases that store credit card info, run secure web sites that transact sensitive information, make money transfers, centrally store secrete information,

OK, up until this comma, this is a fair question with an easy answer (see below). But then you continue in your inane rambling....

fall victim to script kiddies, become bots in a network, or become magnets for fast spreading viruses, worms, or Trojans?

Now why do you suppose the other, more wide spread platforms do? Now you tell me why when Macs are the superior platform, why all the dummies are still using those other platforms?

Mmmm....maybe because they made the mistake of hiring you for security consulting?

Now to answer the top, coherent part of your rambling question/statement/certification-of-your-lack-of-thinking-skills:

See this?

That's a big well-encased farm of xServes (Apple's 1U server platform, then PowerPC based) from Apple's developer conference a little over 10 months ago.

It's installed at a "eBureau" (was "xTech"), one of America's largest processors of credit card data, as well as other financial and security systems. In the company's own words:

"eBureau provides a suite of precision marketing, credit risk management, fraud prevention and receivables management solutions to direct marketers, financial services companies, Internet retailers and agencies"

eBureau calls this installation the "Aquarium". It runs Mac OS X Server.

For a "Computer Security Pro", you're quite the ignorant chump, aren't you?

[snarks_when_bored]

Here's a 'for instance', Star Traveler. After I read your message #46, I started Safari (for the first time since this afternoon). It immediately tried to connect to an IP number that ARIN WHOIS says belongs to AltaVista. I didn't connect to AltaVista this afternoon (to my knowledge). I don't see any reason why my browser should do that. Firefox doesn't do that sort of thing.

I don't know that there's anything pernicious about this sort of behavior, but I just don't like it. I'll just continue to use Firefox, not only for this reason, but also because the text on its tabs and its status bar is large enough to read. I also like the fact that you can kill a tab in Firefox just by mouse-wheel-clicking anywhere on it, whereas in Safari you have to hit that tiny X. Oh, and I like the fact that you can mouse-grab a Firefox window anywhere and re-size it horizontally, vertically or diagonally, whereas a Safari window can only be re-sized by mouse-grabbing it on the tiny bottom right-hand corner triangle.

Regards...

[Star Traveler]

I just did a check on Safari by having my program check every connection it tried to make. It made absolutely no connection upon startup on any port (not even port 80) to any IP address. And in going to Free Republic, it only did the exact connections, through the proper ports to post this particular post to you.

I can’t tell you what is going on with your particular version of Safari. I would suggest going to Apple’s Support Board and bringing it up for discussion with the other Apple posters. It’s a public board for anyone who uses Apple programs and/or computers. There are categories for the different software and/or computers. You may find someone there who knows what is happening.

All I know is that it doesn’t do it on my Safari, but I’m not using the beta version. Others may be using the beta version who are on that board. Good luck on finding some answers there.

http://discussions.apple.com/index.jspa

And, by the way, I have Firefox, too, but I rarely use it. I only do so when I want to check something out on another browser, which isn’t too often. One of the things that others may not be aware of is that the reason why Apple put out a Windows version of Safari is that the “applications” that can be developed on the iPhone will require Safari to do it. So, in order to not exclude a lot of “Windows developers” from doing something with iPhone, Apple put out a Windows version of Safari.

[snarks_when_bored]

It looks as if setting the 'Check for Updates' option (under the RSS tab) to 'Never' does the trick. Safari isn't trying to connect when I start it now. So that's good. My problems with the small fonts and color still remain, but I'll probably use it some since it starts so quickly.

Thanks for the thoughtful responses, ST...

Later...

[GovernmentIsTheProblem]

“eBureau calls this installation the “Aquarium”. It runs Mac OS X Server.”

I run a business that performs penetration testing for large ecommerce and fortune 1000 customers and have never seen a single production application environment running on OSX. You pointed out one - that doesn’t make the other poster ignorant. It’s one - the exception, not the rule.

[rightwingextremist1776]

The only ignorance is that comming from Yossarain. He couldn’t buy a clue. I believe they call it blind faith.

[rightwingextremist1776]

Let me know when you have finished your first class in computer basics. I’ll be more then happy to school you from there. Until then I would keep your mouth shut, it only puts your complete lack of knowledge on display for the whole world to see. You completely missed the point of my post. You haven't a clue.

[rightwingextremist1776]

BTW...Here is a list of the most recent vulnerabilities the were addressed in the latest Apple SECURITY patch. Look them up Yossarian....If you know how. I have my doubts that you have ever heard of a CVE number let alone know what they are;

CVE-2007-2390
CVE-2007-2386
CVE-2007-1558
CVE-2007-1536
CVE-2007-0753
CVE-2007-0752
CVE-2007-0751
CVE-2007-0750
CVE-2007-0740
CVE-2007-0494
CVE-2007-0493
CVE-2006-6303
CVE-2006-5467
CVE-2006-4573
CVE-2006-4096
CVE-2006-4095
CVE-2005-3011

[rightwingextremist1776]

Look what I found...some more for you;
CVE-2007-0729
CVE-2007-0725
CVE-2007-0732
CVE-2007-0734
CVE-2006-5867
CVE-2006-6652
CVE-2006-0300
CVE-2007-0646
CVE-2007-0724
CVE-2007-0465
CVE-2006-6143
CVE-2007-0957
CVE-2007-1216
CVE-2007-0735
CVE-2007-0736
CVE-2007-0737
CVE-2007-0738
CVE-2007-0739
CVE-2007-0741
CVE-2007-0744
CVE-2007-0022
CVE-2007-0743
CVE-2007-0746
CVE-2007-0747
CVE-2007-0742

All Mac OS X security vulnerabilities..... I could go on but I'm not going to waist any more time on the ignorant.

[savedbygrace]

That ‘vulnerability’ required the user to click on a link that the user had no way to know whether it was trustworthy or not.

Only the stupid do such clicking.

My guess is, Maynor feels dissed that Apple doesn’t jump and fetch at his beck and call. That has nothing to do with vulnerabilities and everything to do with Apple’s corporate culture. They almost never admit to problems of any sort. When they fix something, they are instead dealing with an issue. (exceptions have been when they are forced to do a recall on an item.)

It’s just their way of doing things - everything, not just ‘vulnerabilities’.

Even with all that, there hasn’t been a real in-the-wild computer-being-taken-over-by-something type problem that I recall since the Autostart Worm more than 10 years ago. The solution to that was to check a checkbox to keep executables from automatically starting when you inserted a CD in the CD drive.

[rightwingextremist1776]

Oh, and just in case you missed it;
6.0 (U) Technical Overview for IT Professional: Multiple vulnerabilities affecting Apple Mac OS X and Mac OS X Server have been discovered. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Attackers may take advantage of the less serious vulnerabilities to bypass security restrictions or cause a denial of service.

6.1 (U) ColorSync CVE-2007-0719
Viewing a maliciously-crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. A stack buffer overflow exists in the handling of embedded ColorSync profiles. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution.

6.2 (U) CoreGraphics
Viewing a malformed PDF Document may lead to an application hang.

6.3 (U) Crash Reporter CVE-2007-0467
Crash Reporter may allow a local admin user to obtain system privileges. Crash Reporter uses an admin-writable system directory to store logs of processes that have been unexpectedly terminated. A malicious process running as an admin can cause these logs to be written to arbitrary files as root, which could result in the execution of commands with elevated privileges.

6.4 (U) CUPS CVE-2007-0720
Remote attackers may cause a denial of service during SSL negotiation. A partially-negotiated SSL connection with the CUPS service may prevent other requests from being served until the connection is closed.

6.5 (U) Disk Images CVE-2007-0721
Mounting a maliciously-crafted disk image may lead to an unexpected application termination or arbitrary code execution. A memory corruption vulnerability exists in diskimages-helper. By enticing a user to open a maliciously-crafted compressed disk image, an attacker could trigger this issue which may lead to an unexpected application termination or arbitrary code execution.

6.6 (U) Disk Images CVE-2007-0722
Mounting a maliciously-crafted AppleSingleEncoding disk image may lead to an unexpected application termination or arbitrary code execution. An integer overflow vulnerability exists in the handler for AppleSingleEncoding disk images. By enticing a local user to open a maliciously-crafted disk image, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution.

6.7 (U) Disk Images CVE-2006-6061, CVE-2006-6062, CVE-2006-5679, CVE-2007-0229, CVE-2007-0267, CVE-2007-0299 Downloading a maliciously-crafted disk image may lead to an unexpected system shutdown or arbitrary code execution. Several vulnerabilities exist in the processing of disk images that may lead to an unexpected termination of system operations or arbitrary code execution. Since a disk image may be automatically mounted when visiting web sites, this allows a malicious web site to cause a denial of service. This update addresses the issue by performing additional validation of downloaded disk images prior to mounting them.

6.8 (U) DS Plug-Ins CVE-2007-0723
Unprivileged LDAP users may be able to change the local root password. An implementation flaw in DirectoryService allows an unprivileged LDAP user to change the local root password.

6.9 (U) Flash Player CVE-2006-5330
Playing maliciously-crafted Flash content could allow an HTTP request splitting attack. Adobe Flash Player is updated to version 9.0.28.0 to fix a potential vulnerability that could allow HTTP request splitting attacks.

6.10 (U) GNU Tar CVE-2006-0300, CVE-2006-6097 Multiple vulnerabilities in GNU Tar, the most serious of which is arbitrary code execution. GNU Tar is updated from version 1.14 to 1.16.1.

6.11 (U) HFS CVE-2007-0318
Removing a file from a maliciously-crafted mounted filesystem may lead to a denial of service. An HFS+ filesystem in a mounted disk image can be constructed to trigger a kernel panic when attempting to remove a file from a mounted filesystem.

6.12 (U) HID Family CVE-2007-0724
Console keyboard events are exposed to other users on the local system. Insufficient controls in the IOKit HID interface allow any logged in user to capture console keystrokes, including passwords and other sensitive information.

6.13 (U) ImageIO CVE-2007-1071
Viewing a maliciously-crafted GIF file may lead to an unexpected application termination or arbitrary code execution. An integer overflow vulnerability exists in the process of handling GIF files. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of GIF files. This issue does not affect systems prior to Mac OS X v10.4.

6.14 (U) ImageIO CVE-2007-0733
Viewing a maliciously-crafted RAW Image may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue exists in the process of handling RAW images. By enticing a user to open a maliciously-crafted image, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of RAW images. This issue does not affect systems prior to Mac OS X v10.4.

6.15 (U) Kernel CVE-2006-5836
Malicious local users may be able to cause a denial of service. Using the fpathconf() system call on certain file types will result in a kernel panic.

6.16 (U) Kernel CVE-2006-6129
Executing a maliciously-crafted Universal Mach-O binary may lead to an unexpected termination of system operations or arbitrary code execution with elevated privileges. An integer overflow vulnerability exists in the loading of Universal Mach-O binaries. This could allow a malicious local user to cause a kernel panic or to obtain system privileges.

6.17 (U) Kernel CVE-2006-6173
Executing a maliciously-crafted program may lead to a system hang. The shared_region_make_private_np() system call allows a program to request a large allocation of kernel memory. This could allow a malicious local user to cause a system hang. This issue does not allow an integer overflow to occur, and it cannot lead to arbitrary code execution.

6.18 (U) MySQL Server CVE-2006-1516, CVE-2006-1517, CVE-2006-2753, CVE-2006-3081, CVE-2006-4031, CVE-2006-4226, CVE-2006-3469 Multiple vulnerabilities in MySQL, the most serious of which is arbitrary code execution.

6.19 (U) Networking CVE-2006-6130
Malicious local users may be able to cause an unexpected termination of system operations or execute arbitrary code with elevated privileges. A memory corruption issue exists in the AppleTalk protocol handler. This could allow a malicious local user to cause a kernel panic or gain system privileges.

6.20 (U) Networking CVE-2007-0236
Maliciously-crafted AppleTalk requests may lead to a local denial of service or arbitrary code execution. A heap buffer overflow vulnerability exists in the AppleTalk protocol handler. By sending a maliciously-crafted request, a local user can trigger the overflow which may lead to a denial of service or arbitrary code execution.

6.21 (U) OpenSSH CVE-2007-0726
A remote attacker can destroy established trust between SSH hosts by causing SSH Keys to be regenerated. SSH keys are created on a server when the first SSH connection is established. An attacker connecting to the server before SSH has finished creating the keys could force the keys then to be recreated. This could result in a denial of service against processes that rely on a trust relationship with the server. Systems that already have SSH enabled and have rebooted at least once are not vulnerable to this issue. This issue is addressed by improving the SSH key generation process. This issue is specific to the Apple implementation of OpenSSH.

6.22 (U) OpenSSH CVE-2006-0225, CVE-2006-4924, CVE-2006-5051, CVE-2006-5052 Multiple vulnerabilities in OpenSSH, the most serious of which is arbitrary code execution. OpenSSH is updated to version 4.5.

6.23 (U) Printing CVE-2007-0728
An unprivileged local user can overwrite arbitrary files with system privileges. Insecure file operations may occur during the initialization of a USB printer. An attacker may leverage this issue to create or overwrite arbitrary files on the system. This update addresses the issue by improving the printer initialization process.

6.24 (U) QuickDraw Manager CVE-2007-0588 Opening a maliciously-crafted PICT image may lead to an unexpected application termination or arbitrary code execution. A heap buffer overflow vulnerability exists in QuickDraw’s PICT image processing. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT files.

6.25 (U) QuickDraw Manager
Opening a malformed PICT image may lead to an unexpected application termination. This issue can not lead to arbitrary code execution.

6.26 (U) Servermgrd CVE-2007-0730
Remote attackers may be able to access Server Manager without valid credentials. An issue in Server Manager’s validation of authentication credentials could allow a remote attacker to alter the system configuration.

6.27 (U) SMB File Server CVE-2007-0731
A user with write access to an SMB share may be able to cause a denial of service or arbitrary code execution. A stack buffer overflow vulnerability exists in an Apple-specific Samba module. A file with an overly-long ACL could trigger the overflow, which may lead to a denial of service or arbitary code execution. This issue does not affect systems prior to Mac OS X v10.4.

6.28 (U) Software Update CVE-2007-0463
Opening a maliciously-crafted Software Update Catalog file may lead to an unexpected application termination or arbitrary code execution. A format string vulnerability exists in the Software Update application. By enticing a user to download and open a Software Update Catalog file, an attacker can trigger the vulnerability which may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.4.

6.29 (U) Sudo CVE-2005-2959
A local user with sudo access to a bash script can run arbitrary commands with elevated privileges. A user-modified sudo configuration could allow environment variables to be passed through to the program running as a privileged user. If sudo is configured to allow an otherwise unprivileged user to execute a given bash script with elevated privileges, the user may be able to execute arbitrary code with elevated privileges. Systems with the default sudo configuration are not vulnerable to this issue. This issue has been addressed by updating sudo to 1.6.8p12.

6.30 (U) WebLog CVE-2006-4829
A remote attacker can conduct cross-site scripting attacks through Blojsom. A cross-site scripting vulnerability exists in Blojsom. This allows remote attackers to inject JavaScript into blog content that will execute in the domain of the Blojsom server. This issue does not affect systems prior to Mac OS X v10.4.

PS...I saved you the effort of actually having to look this up...I knew you wouldn’t be able to handle that task.