__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Apple Security Update 2008-002 [307562] March 27, 2008 21:00 GMT Number S-247 ______________________________________________________________________________ PROBLEM: Several security vulnerabilities have been found in various products used with Mac Operating Systems. PLATFORM: Mac OS X v10.4.11, v10.5.2 Mac OS X Server v10.4.11, v10.5.2 DAMAGE: Arbitrary code execution. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Multiple updates with the most serious could ASSESSMENT: allow a remote user to gain system privilegs. ______________________________________________________________________________ CVSS 2 BASE SCORE: 8.8 TEMPORAL SCORE: 6.5 VECTOR: (AV:N/AC:M/Au:N/C:C/I:C/A:N/E:U/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-247.shtml ORIGINAL BULLETIN: http://support.apple.com/kb/HT1249 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-3352 CVE-2005-4077 CVE-2006-3334 CVE-2006-3747 CVE-2006-5752 CVE-2006-5793 CVE-2006-6481 CVE-2007-0897 CVE-2007-0898 CVE-2007-1659 CVE-2007-1660 CVE-2007-1661 CVE-2007-1662 CVE-2007-1745 CVE-2007-1997 CVE-2007-2445 CVE-2007-2799 CVE-2007-3378 CVE-2007-3725 CVE-2007-3799 CVE-2007-3847 CVE-2007-4510 CVE-2007-4560 CVE-2007-4568 CVE-2007-4752 CVE-2007-4766 CVE-2007-4767 CVE-2007-4768 CVE-2007-4887 CVE-2007-4990 CVE-2007-5000 CVE-2007-5266 CVE-2007-5267 CVE-2007-5268 CVE-2007-5269 CVE-2007-5759 CVE-2007-5795 CVE-2007-5901 CVE-2007-5971 CVE-2007-5958 CVE-2007-6109 CVE-2007-6203 CVE-2007-6335 CVE-2007-6336 CVE-2007-6337 CVE-2007-6388 CVE-2007-6421 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 CVE-2008-0047 CVE-2008-0005 CVE-2008-0044 CVE-2008-0045 CVE-2008-0046 CVE-2008-0048 CVE-2008-0049 CVE-2008-0050 CVE-2008-0051 CVE-2008-0052 CVE-2008-0053 CVE-2008-0054 CVE-2008-0055 CVE-2008-0056 CVE-2008-0057 CVE-2008-0058 CVE-2008-0059 CVE-2008-0060 CVE-2008-0062 CVE-2008-0063 CVE-2008-0318 CVE-2008-0596 CVE-2008-0728 CVE-2008-0882 CVE-2008-0987 CVE-2008-0992 CVE-2008-0997 CVE-2008-0988 CVE-2008-0989 CVE-2008-0990 CVE-2008-0993 CVE-2008-0994 CVE-2008-0995 CVE-2008-0996 CVE-2008-0998 CVE-2008-0999 CVE-2008-1000 ______________________________________________________________________________ [***** Start 307562 *****] Please visit Apple's Web site to view their Security Update 2008-002: http://docs.info.apple.com/article.html?artnum=307562 [***** End 307562 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Apple for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update