Mac OS X 10.6.7 fixes security vulnerabilities

Apple today released Mac OS X 10.6.7 which increases the stability, compatibility, and security of your Mac.

AirPort
A divide by zero issue existed in the handling of Wi-Fi frames. When connected to Wi-Fi, an attacker on the same network may be able to cause a system reset. This issue does not affect systems prior to Mac OS X v10.6.

Apache
Apache is updated to version 2.2.17 to address several vulnerabilities, the most serious of which may lead to a denial of service.

AppleScript
A format string issue existed in AppleScript Studio’s generic dialog commands (“display dialog” and “display alert”). Running an AppleScript Studio-based application that allows untrusted input to be passed to a dialog may lead to an unexpected application termination or arbitrary code execution.

ATS
A heap buffer overflow issue existed in the handling of OpenType, TrueType and Type 1 fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.

Multiple buffer overflow issues existed in the handling of SFNT tables. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.

bzip2
An integer overflow issue existed in bzip2’s handling of bzip2 compressed files. Using the command line bzip2 or bunzip2 tool to decompress a bzip2 file may result in an unexpected application termination or arbitrary code execution.

CarbonCore
When used with the kTemporaryFolderType flag, the FSFindFolder() API returns a directory that is world readable. This issue is addressed by returning a directory that is only readable by the user that the process is running as.

ClamAV
Multiple vulnerabilities exist in ClamAV, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.96.5. ClamAV is distributed only with Mac OS X Server systems.

CoreText
A memory corruption issue existed in CoreText’s handling of font files. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.

File Quarantine
The OSX.OpinionSpy definition has been added to the malware check within File Quarantine.

HFS
An integer overflow issue existed in the handling of the F_READBOOTSTRAP ioctl. A local user may be able to read arbitrary files from an HFS, HFS+, or HFS+J filesystem.

ImageIO
A heap buffer overflow issue existed in ImageIO’s handling of JPEG and XBM images. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

A buffer overflow existed in libTIFF’s handling of JPEG encoded TIFF images and CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution.

An integer overflow issue existed in ImageIO’s handling of JPEG-encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.6.

Image RAW
Multiple buffer overflow issues existed in Image RAW’s handling of Canon RAW images. Viewing a maliciously crafted Canon RAW image may result in an unexpected application termination or arbitrary code execution.

Installer
A URL processing issue in Install Helper may lead to the installation of an agent that contacts an arbitrary server when the user logs in. The dialog resulting from a connection failure may lead the user to believe that the connection was attempted with Apple. This issue is addressed by removing Install Helper.

Kerberos
Multiple cryptographic issues existed in MIT Kerberos 5. Only CVE-2010-1323 affects Mac OS X v10.5.

Kernel
A privilege checking issue existed in the i386_set_ldt system call’s handling of call gates. A local user may be able to execute arbitrary code with system privileges. This issue is addressed by disallowing creation of call gate entries via i386_set_ldt().

Libinfo
An integer truncation issue existed in Libinfo’s handling of NFS RPC packets. A remote attacker may be able to cause NFS RPC services such as lockd, statd, mountd, and portmap to become unresponsive.

libxml
A memory corruption issue existed in libxml’s XPath handling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

A double free issue existed in libxml’s handling of XPath expressions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.6.

Mailman
Multiple cross-site scripting issues existed in Mailman 2.1.13. These issues are addressed by updating Mailman to version 2.1.14.

PHP
PHP is updated to version 5.3.4 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.

PHP is updated to version 5.2.15 to address multiple vulnerabilities, the most serious of which may lead to arbitary code execution.

QuickLook
A memory corruption issue existed in QuickLook’s handling of Excel files. Downloading a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.6.

A memory corruption issue existed in QuickLook’s handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution.

QuickTime
Multiple memory corruption issues existed in QuickTime’s handling of JPEG2000 images. Viewing a maliciously crafted JPEG2000 image with QuickTime may lead to an unexpected application termination or arbitrary code execution.

An integer overflow existed in QuickTime’s handling of movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.5 this issue was addressed in QuickTime 7.6.9.

A memory corruption issue existed in QuickTime’s handling of FlashPix images. Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.5 this issue was addressed in QuickTime 7.6.9.

A cross-origin issue existed in QuickTime plug-in’s handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross-site redirects.

A memory corruption issue existed in QuickTime’s handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.5 this issue was addressed in QuickTime 7.6.9.

Ruby
An integer truncation issue existed in Ruby’s BigDecimal class. Running a Ruby script that uses untrusted input to create a BigDecimal object may lead to an unexpected application termination or arbitrary code execution. This issue only affects 64-bit Ruby processes.

Samba
A stack buffer overflow existed in Samba’s handling of Windows Security IDs. If SMB file sharing is enabled, a remote attacker may cause a denial of service or arbitrary code execution.

Subversion
Subversion servers that use the non-default “SVNPathAuthz short_circuit” mod_dav_svn configuration setting may allow unauthorized users to access portions of the repository. This issue is addressed by updating Subversion to version 1.6.13. This issue does not affect systems prior to Mac OS X v10.6.

Terminal
When ssh is used in Terminal’s “New Remote Connection” dialog, SSH version 1 is selected as the default protocol version. This issue is addressed by changing the default protocol version to “Automatic”. This issue does not affect systems prior to Mac OS X v10.6.

X11
Multiple vulnerabilities existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. These issues are addressed by updating FreeType to version 2.4.3.