December 2007

ID: 3523
Date: 19/12/2007

---

Title: 3523 - Apple Updates for Multiple Vulnerabilities
Platform level affected:Operating System
Specific operating systems components affected: Apple Mac OS
Other software: Other
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Apple
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Apple & US-CERT
Reliability of source: Trusted
Source URL: http://docs.info.apple.com/article.html?artnum=307179
Abstract: Description of Apple's Security Update 2007-009 that corrects multiple vulnerabilities affecting Apple Mac OS X and Mac OS X Server.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        National Cyber Alert System

    Technical Cyber Security Alert TA07-352A

Apple Updates for Multiple Vulnerabilities

   Original release date: December 18, 2007
   Last revised: --
   Source: US-CERT

Systems Affected

     * Apple Mac OS X versions prior to and including 10.4.11 and 10.5.1
     * Apple Mac OS X Server versions prior to and including 10.4.11 and
       10.5.1

   These vulnerabilities affect both Intel and PowerPC platforms.

Overview

   Apple has released Security Update 2007-009 to correct multiple
   vulnerabilities affecting Apple Mac OS X and Mac OS X Server.
   Attackers could exploit these vulnerabilities to execute arbitrary
   code, gain access to sensitive information, surreptitiously initiate a
   video conference, or cause a denial of service.

I. Description

   Apple Security Update 2007-009 addresses a number of vulnerabilities
   affecting Apple Mac OS X and OS X Server versions 10.4.11 and 10.5.1.
   Further details are available in the related vulnerability notes.

   The update addresses vulnerabilities in other vendors' products that
   ship with Apple OS X or OS X Server. These products include:
     * Adobe Flash
     * Adobe Shockwave
     * GNU Tar

II. Impact

   The impacts of these vulnerabilities vary. Potential consequences
   include arbitrary code execution, sensitive information disclosure,
   surreptitious video conference initiation, and denial of service.

III. Solution

Install updates from Apple

   Install Apple Security Update 2007-009. This and other updates are
   available via Software Update or via Apple Downloads.

IV. References

     * Vulnerability notes for Apple Security Update 2007-009 -
       <http://www.kb.cert.org/vuls/byid?searchview&query=apple-2007-009>
    
     * About Security Update 2007-009 -
       <http://docs.info.apple.com/article.html?artnum=307179>
    
     * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704>
    
     * Apple - Support - Downloads - <http://www.apple.com/support/downloads/>

 _________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA07-352A.html>
 _________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the
   subject.
 _________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 _________________________________________________________________

   Produced 2007 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 _________________________________________________________________

Revision History

   December 18, 2007: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ
7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz
Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG
IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs
Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0
h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q==
=Y1jd
-----END PGP SIGNATURE-----

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.