Apple Computer Inc. released a bushel of patches for Mac OS X Tuesday, fixing 13 flaws attackers could exploit to bypass security restrictions, gain unauthorized system access,
Cupertino, Calif.-based AV giant Symantec Corp. sent customers of its DeepSight Threat Management System an e-mail bulletin Tuesday, warning that "multiple vulnerabilities may expose Mac OS X computers to local and remote system compromise, information disclosure, and various forms of unauthorized access."
Apple summarized the 13 security holes as follows in an advisory:
Attackers could use the Apache 2 Web server to bypass protections using specially-crafted HTTP headers. "This behavior is only present when Apache is used in conjunction with certain proxy servers, caching servers, or Web application firewalls," Apple said. "This update addresses the issue by incorporating Apache version 2.0.55."
The Apache Web server's mod_ssl module may allow attackers unauthorized access to a resource that is configured to require SSL client authentication. "Only Apache configurations that include the 'SSLVerifyClient require' directive may be affected," Apple said. "This update addresses the issue by incorporating mod_ssl 2.8.24 and Apache version 2.0.55.
Using a carefully crafted URL, attackers can cause a heap buffer overflow in CoreFoundation, a framework for importing and exporting data types, "which may result in a crash or arbitrary code execution," Apple said. "CoreFoundation is used by Safari and other applications. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X 10.4."
Attackers "could use curl with NTLM authentication enabled to download an HTTP resource" to supply an overly long user or domain name, Apple said. NTLM is a network authentication scheme used by browsers and proxies. "This may cause a stack buffer overflow and lead to arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation when using NTLM authentication. This issue does not affect systems prior to Mac OS X 10.4."
The ODBC Administrator utility includes a helper tool called iodbcadmintool that executes with raised privileges. "This helper tool contains a vulnerability that may allow local users to execute arbitrary commands with raised privileges," Apple said. "This update addresses the issue by providing an updated iodbcadmintool that is not susceptible."
Applications that do not disable SSLv2 or that enable certain compatibility options when using OpenSSL may be vulnerable to a protocol downgrade attack. "Such attacks may cause an SSL connection to use the SSLv2 protocol which provides less protection than SSLv3 or TLS," Apple said.
When creating an Open Directory master server, credentials may be compromised. "This could lead to unprivileged local users gaining elevated privileges on the server," Apple said. "This update addresses the issue by ensuring the credentials are protected."
When files are downloaded in Safari, they are normally placed in the location specified as the download directory. "However, if a Web site suggests an [overly long] file name for a download, it is possible for Safari to create this file in other locations," Apple said. "Although the file name and location of the downloaded file content cannot be directly specified by remote servers, this may still lead to downloading content into locations accessible to other users. This update addresses the issue by rejecting overlong file names."
WebKit contains a heap overflow that may lead to the execution of arbitrary code, Apple said, adding, "This may be triggered by content downloaded from malicious Web sites in applications that use WebKit, such as Safari. This update addresses the issue by removing the heap overflow from WebKit."
Sudo allows system administrators to grant users the ability to run specific commands with elevated privileges. "Although the default configuration is not vulnerable to this issue, custom sudo configurations may not properly restrict users," Apple said. "This update addresses the issue by incorporating Sudo version 1.6.8p9."
The system log server records syslog messages verbatim. "By supplying control characters such as the newline character, a local attacker could forge entries with the intention to mislead the system administrator," Apple said. "This update addresses the issue by specially handling control characters and other non-printable characters. This issue does not affect systems prior to Mac OS X 10.4."