__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                         Apple Security Update 2007-009
                                    [307179]

December 18, 2007 21:00 GMT                                       Number S-090
______________________________________________________________________________
PROBLEM:       Several security vulnerabilities have been found in various 
               products used with Mac Operating Systems. 
PLATFORM:      Mac OS X v10.4.11, v10.5.1 
               Mac OS X Server v10.4.11, v10.5.1 
DAMAGE:        The execution of arbitrary code with system privileges. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The execution of arbitrary code with system 
ASSESSMENT:    privileges. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/s-090.shtml 
 ORIGINAL BULLETIN:  http://docs.info.apple.com/article.html?artnum=307179 
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2006-0024 CVE-2007-1218 CVE-2007-1659 CVE-2007-1660 
                     CVE-2007-1661 CVE-2007-1662 CVE-2007-3876 CVE-2007-3798 
                     CVE-2007-4131 CVE-2007-4351 CVE-2007-4572 CVE-2007-4708 
                     CVE-2007-4709 CVE-2007-4710 CVE-2007-4766 CVE-2007-4767 
                     CVE-2007-4768 CVE-2007-4965 CVE-2007-5116 CVE-2007-5379 
                     CVE-2007-5380 CVE-2007-5398 CVE-2007-5476 CVE-2007-5770 
                     CVE-2007-5847 CVE-2007-5848 CVE-2007-5849 CVE-2007-5850 
                     CVE-2007-5851 CVE-2007-5853 CVE-2007-5854 CVE-2007-5855 
                     CVE-2007-5856 CVE-2007-5857 CVE-2007-5858 CVE-2007-5859 
                     CVE-2007-5860 CVE-2007-5861 CVE-2007-5863 CVE-2007-6077 
                     CVE-2007-6165 
______________________________________________________________________________
[***** Start 307179 *****]

Please visit Apple's Web site to view their Security Update 2007-009:

       http://docs.info.apple.com/article.html?artnum=307179

[***** End 307179 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Apple for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

S-080: Samba Security and Bug Fix Update
S-081: autofs Security Update
S-082: Linux-2.6 Vulnerabilities
S-083: Sitebar Vulnerabilities
S-084: Ruby-Gnome2 Vulnerability
S-085: e2fsprogs
S-086: qt-x11-free Vulnerabilities
S-087: centericq Vulnerability
S-088: HP Quick Launch Button (QLB) Running on Windows Vulnerability
S-089: Prolog Manager Vulnerability