in the Microsoft Windows Server Service. This flaw, detailed in Microsoft Security
Bulletin MS06-040, allowed for remote code execution (RCE).
An unauthenticated attacker could exploit it by sending specially crafted RPC requests
to an affected system, potentially gaining full control without user interaction.
Its 'wormable' nature made it highly dangerous, capable of rapid self-propagation
across networks.
Windows 2000, XP, and Server 2003 were primarily impacted. The primary mitigation
was to promptly apply the security update provided by MS06-040. This alert
underscored the critical need for timely patching to prevent widespread compromise.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-275A
Multiple Vulnerabilities in Apple and Adobe Products
Original release date: October 02, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Apple Mac OS X version 10.3.9 and earlier (Panther)
* Apple Mac OS X version 10.4.7 and earlier (Tiger)
* Apple Mac OS X Server version 10.3.9 and earlier
* Apple Mac OS X Server version 10.4.7 and earlier
* Safari web browser
* Adobe Flash Player 8.0.24 and earlier
These vulnerabilities affect both Intel-based and PowerPC-based Apple
systems.
Overview
Apple has released Security Update 2006-006 and Mac OS X 10.4.8 Update
to correct multiple vulnerabilities affecting Mac OS X, OS X Server,
Safari, Adobe Flash Player, and other products. The most serious of
these vulnerabilities may allow a remote attacker to execute arbitrary
code. Impacts of other vulnerabilities include bypass of security
restrictions and denial of service.
I. Description
Apple has released Security Update 2006-006 to address numerous
vulnerabilities affecting Mac OS X, OS X Server, Safari, Adobe Flash
Player, and other products.
Further details are available in the individual Vulnerability Notes
for Apple Security Update 2006-006.
Apple has also released Mac OS X 10.4.8 Update (Intel) for Intel-based
Apple systems. This update addresses the vulnerabilities described in
Apple Security Update 2006-006 for Intel-based Apple systems.
This security update also addresses previously known vulnerabilities
in Adobe Flash Player. More information on those vulnerabilities can
be found in Adobe Security Bulletin APSB06-11 and the Vulnerability
Notes for Adobe Security Bulletin APSB06-11.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes for Apple
Security Update 2006-006. Potential consequences include remote
execution of arbitrary code or commands, bypass of security
restrictions, and denial of service.
III. Solution
Install updates
Install Apple Security Update 2006-006. This and other updates are
available via Apple Update or via Apple Downloads.
Users with Intel-based Apple systems should upgrade to Mac OS X 10.4.8
Update (Intel) to receive the necessary security updates.
IV. References
* Vulnerability Notes for Apple Security Update 2006-006 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple-2006-006>
* About the security content of the Mac OS X 10.4.8 Update and
Security Update 2006-006 -
<http://docs.info.apple.com/article.html?artnum=304460>
* Mac OS X 10.4.8 Update (Intel) -
<http://www.apple.com/support/downloads/macosx1048updateintel.html>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Apple Downloads - <http://www.apple.com/support/downloads/>
* Vulnerability Notes for Adobe Security Bulletin APSB06-11 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apsb06-11>
* Adobe Security Bulletin APSB06-11 -
<http://www.adobe.com/support/security/bulletins/apsb06-11.html>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Safari>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-275A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <
subject.
_________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
October 02, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRSFT/exOF3G+ig+rAQIF0gf+KI8EWp1iNaVOYe2YgcRRMF27K8VFz5Rn
Y81SRMZk4M1m9/4/7oJG7obEiGr4LqD/EjxT23ctuQ4KBKysokv7F+FrLwMHbRGY
my6x7mmLy+JEydQrMFk8u/2ZdVZjvxnhBUmH9nuwgjhqaJ0Ez1GAbmkmJ/TV5pbY
gOWOu5oe2zpkf3fpLRWY+XxctHukgl8SlN0ucyRSRPlWmO7rR8di/rujWMRRAlep
fEkTeq6Z5X4Ep6lwxoWX5z+a5oPz4tLHMIbjGZlV3FGa7ii6GTBWmQSN42yTW9tZ
ELoLtXeHgiSy27n7G6VMOIzKEu7V8mHt3L3ZFrF+O/Xx5KBb/b/xQg==
=nP7Y
-----END PGP SIGNATURE-----