U radu programskog paketa iWork uočena su tri nova propusta čije iskorištavanje može dovesti do neočekivanog završetka rada aplikacije ili do pokretanja proizvoljnog programskog koda.
Paket:
iWork 9.x
Operacijski sustavi:
Apple Mac OS X 10.4, Apple Mac OS X 10.6, Apple Mac OS X 10.5
Problem:
cjelobrojno prepisivanje, korupcija memorije, neodgovarajuća provjera ulaznih podataka
Do propusta dolazi zbog pojave prepisivanja međuspremnika prilikom rukovanja Excel dokumentima te zbog pojave korupcije memorije prilikom otvaranja Excel ili Microsoft Word dokumenata.
Posljedica:
Posljedice iskorištavanja spomenutih propusta su DoS napad te pokretanje proizvoljnog programskog koda.
Rješenje:
Budući da je dostupna odgovarajuća nadogradnja, svi se korisnici ranjivog paketa potiču na njenu primjenu.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-07-20-2 iWork 9.1 Update
iWork 9.1 Update is now available and addresses the following:
Numbers
Available for: iWork 9.0 through 9.0.5
Impact: Opening a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of Excel
files. Opening a maliciously crafted Excel file in Numbers may lead
to an unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2010-3785 : Apple
Numbers
Available for: iWork 9.0 through 9.0.5
Impact: Opening a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
Excel files. Opening a maliciously crafted Excel file in Numbers may
lead to an unexpected application termination or arbitrary code
execution.
CVE-ID
CVE-2010-3786 : Tobias Klein, working with VeriSign iDefense Labs
Pages
Available for: iWork 9.0 through 9.0.5
Impact: Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in the handling of
Microsoft Word documents. Opening a maliciously crafted Microsoft
Word document in Pages may lead to an unexpected application
termination or arbitrary code execution.
CVE-ID
CVE-2011-1417 : Charlie Miller and Dion Blazakis working with
TippingPoint's Zero Day Initiative
iWork 9.1 Update is available via the Apple Software Update
application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
The download file is named: iWork9.1Update.dmg
Its SHA-1 digest is: ecb38db74d7d1954cbcee9220c73dac85cace3e1
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJOKcGrAAoJEGnF2JsdZQeewcYH/RhHdLa6x14PX+ZTC+sm1Mjc
W1xBpOxMuBpAx3Li6INXXLvMablTgPIs5e3pbtsV0RYtsJy99JdPySPI8bpQu0Si
CVWuXXSBYy2gdTtRAf6MI3j+oOyM1JhE7GunLBWcmAzv5TxS8TRf0HtNErFEe8NA
StV8QBWLErNyHxqjUQsIb5d1KbIbOysFQZy3O6pyZ6SRwr8tlIPKnY4KsaDYS5Ry
tpv3lMysde5NqCy8BeOQEtW/WAmE7i9NCCNfU2L+OfGQOXIdXmKl7Orjj+d9l23L
umGo9GCACvBVO1Ot6jKDlCW+ZuDRGuz+fhQnwOdyoqtwUwiNCsS6VIwuYYrcmxw=
=wrny
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/advisory%40lss.hr
This email sent to Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
Posljednje sigurnosne preporuke