Apple has fixed nine different security holes in Mac OS X that attackers could exploit to gain root privileges, cause a denial of service, launch malicious code and more.
Reston, Va.-based security firm iDefense notified Apple of one of the problems, found in the operating system's Core Foundation Library. In an advisory the firm said: "Local exploitation of a buffer overflow vulnerability within the Core Foundation Library included by default in Apple Computer Inc.'s Mac OS X could allow an attacker to gain root privileges."
The flaw is caused by improper handling of the CF_CHARSET_PATH environment variable, iDefense said. "When a string greater than 1,024 characters is passed via this variable, a stack-based overflow occurs, allowing the attacker to control program flow by overwriting the function's return address on the stack."
The firm said any application linked against the Core Foundation Library can be used as an attack vector. The company added that it notified Apple of the problem Feb. 4 and got a response the same day.
Apple issued an advisory outlining that and eight other flaws that have been addressed.
Specifically, attackers could:
- Use a specially crafted packet with an incorrect memory reference to cause a denial of service against the AFP Server.
- Exploit an access control error in the AFP Server to view the contents of a drop box.
- Exploit a glitch in Bluetooth Setup Assistant to bypass security restrictions.
- Exploit multiple vulnerabilities in the Cyrus IMAP Server to compromise a vulnerable machine.
- Exploit vulnerabilities in Cyrus SASL to crash or potentially compromise applications linked against the library.
- Gain escalated privileges by exploiting insecure permissions on various directories.
- Exploit a vulnerability in Mailman to disclose sensitive information.
- Exploit a glitch in Safari through a malicious Web site to spoof the URL displayed in the address bar, SSL certificate and status bar.
Apple also this week fixed a flaw in its popular iTunes Music Store that allowed others to circumvent its digital rights management tools and download unprotected music files. A trio of programmers led by Norwegian Jon Lech Johansen cracked the FairPlay DRM technology using their Windows-based PyMusique to download copyright-protected MP3 files. Johansen is best known for creating a DVD-descrambling program to play copyrighted movies on unauthorized machines. Apple's FairPlay restricts where downloaded iTunes can be played. News reports say in addition to sealing up the hole, iTunes customers must upgrade to v4.7 to download music.