ID: 3482
Date: 19/11/2007
Title: 3482 - APPLE-SA-2007-11-15 Mac OS X v10.5.1 Update
Platform level affected:Net Application - Client
Hardware components affected:Apple MAC
Specific operating systems components affected: Apple Mac OS
Security software:Firewall
Other software: Other
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Apple
Applications affected:Firewall
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Imminent
Potential Damage: Remote access
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Apple
Reliability of source: Trusted
Source URL: http://www.apple.com/support/downloads/
CVE: CVE-2007-4702, CVE-2007-4703, CVE-2007-4704
Abstract: Mac OS X v10.5.1 Update is now available and addresses a number of vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2007-11-15 Mac OS X v10.5.1 Update
Mac OS X v10.5.1 Update is now available and addresses the following
issues:
Application Firewall
CVE-ID: CVE-2007-4702
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: The "Block all incoming connections" setting for the firewall is misleading
Description: The "Block all incoming connections" setting for the Application Firewall allows any process running as user "root" (UID
0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services. This update addresses the issue by more accurately describing the option as "Allow only essential services", and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services: configd (for DHCP and other network configuration protocols), mDNSResponder (for Bonjour), and racoon (for IPSec). The "Help" content for the Application Firewall is also updated to provide further information.
This issue does not affect systems prior to Mac OS X v10.5.
Application Firewall
CVE-ID: CVE-2007-4703
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: Processes running as user "root" (UID 0) cannot be blocked when the firewall is set to "Set access for specific services and applications"
Description: The "Set access for specific services and applications"
setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as "Block incoming connections". This could result in the unexpected exposure of network services. This update corrects the issue so that any executable so marked is blocked. This issue does not affect systems prior to Mac OS X v10.5.
Application Firewall
CVE-ID: CVE-2007-4704
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: Changes to Application Firewall settings do not affect processes started by launchd until they are restarted
Description: When the Application Firewall settings are changed, a running process started by launchd will not be affected until it is restarted. A user might expect changes to take effect immediately and so leave their system exposed to network access. This update corrects the issue so that changes take effect immediately. This issue does not affect systems prior to Mac OS X v10.5.
Mac OS X v10.5.1 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.5
The download file is named: "MacOSXUpd10.5.1.dmg"
Its SHA-1 digest is: fb4ba4e5a0a7db7e04b3c93bb10115017cbea986
For Mac OS X Server v10.5
The download file is named: "MacOSXServerUpd10.5.1.dmg"
Its SHA-1 digest is: 9ccfe856eae029b70b7f465d85041a96738eaeab
Information will also be posted to the Apple Security Updates web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key, and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: 9.7.0.867
wsBVAwUBRzyVBcgAoqu4Rp5tAQjJGwf+JPqv9+zTyyvX5WmeLHocPXxwkZBupkT/
XnaeVJsckZchxKHahwFQPSMInx1mK4sG0rI00nXDQx3m1qpa5zrwQyIwgweg7gh8
SwnGDJdoZyUOuf+Yx7m2b/u426T0De7lqFNbBGnMdmtWKoZGfphUgPcTD6Svh2PB
3/EjmGqXzWrN5dgESI23c9YQvobRSTTye+uzT1Z5Hx7E1KPyuuGBsFhDCfxZ/fms
ifLRZiXBOw2uzxVPQVHLtBnksO0MSgTfozQTfYNfcWugTE3N5TS6b6ck5Tv7bBpn
RmKeqlmsdVQTLgxj47jnBQV8Wunl7Qwtzxfyj57jYqx3X7GPH+LGmw==
=fq+k
-----END PGP SIGNATURE-----
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Mon, 19 Nov 2007 00:00:00 GMT
Domain affected: Technical