In response to the numerous flaws and security scrutiny that have plagued its flagship operating system in recent days, Apple Computer Inc. has released more than a dozen fixes for a variety of Mac OS X flaws.
The security hole came to light days after the operating system became the target of malicious code for the first time. The first malcode to appear was Leap, also known as Oompa. It spreads through Apple's iChat instant messaging application. The next piece of malcode, Inqtana, attempts to spread via an older Bluetooth vulnerability.
In all, Apple's latest batch of security updates address approximately 15 flaws. Among them:
- Malicious people could exploit multiple security issues in PHP 4.4 to launch cross-site scripting attacks or circumvent security restrictions.
- File servers on the local network may be able to cause Mac OS X systems to mount file systems with reserved names. Apple said this could cause the systems to become unresponsive, or possibly allow attackers to launch malicious code from file servers to run on a target system.
- The BOM framework, which handles the unpacking of certain types of archives, does so in a way that leaves the framework vulnerable to a directory traversal attack, allowing archived files to be unpacked into arbitrary locations that are writable by the current user, Apple said.
- The directory service "passwd" program is vulnerable to temporary file attacks that could lead to privilege elevation. Apple said the update addresses the issue by anticipating a hostile environment and by creating temporary files securely.
- User directories are mounted in an unsafe fashion when a FileVault image is created. The update secures the method in which a FileVault image is created, Apple said.
- Incorrect handling of error conditions for virtual private networks based on IPSec may allow a remote attacker to cause a service interruption. Apple said this update addresses the issues by correctly handling the conditions that may cause crashes.
- An attacker could cause an application to make requests for large amounts of memory and may also be able to trigger a heap buffer overflow. This could cause the targeted application to crash or execute arbitrary code. This update addresses the issue by correctly handling these memory requests, Apple said.
- In Mac OS X v10.4 Tiger, when an e-mail attachment is double-clicked in Mail, download validation is used to warn the user if the file type is not safe. But certain techniques can be used to disguise the file's type so that download validation is bypassed. This update addresses the issue by presenting download validation with the entire file, providing more information for the program to detect unknown or unsafe file types in attachments.
- When a Perl program, running as root, attempts to switch to another user ID, the operation may fail without notification to the program. This may cause a program to continue to run with root privileges, assuming they have been dropped. This can cause security issues in third-party tools. The update addresses the issue by preventing such applications from continuing if the operation fails.
- A heap-based buffer overflow may be triggered when the rsync server is used with the flag that allows extended attributes to be transferred. It may be possible for a malicious user with access to an rsync server to cause denial of service or code execution. This update addresses the problem by ensuring that the destination buffer is large enough to hold the extended attributes.
- A heap-based buffer overflow in WebKit's handling of certain HTML could allow a malicious Web site to cause a crash or execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow.
- Safari's security model prevents remote resources from causing redirection to local resources. An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions. This update addresses the issue by preventing cross-domain HTTP redirects.
- It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious Web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public Web sites that demonstrates the automatic execution of shell scripts. Today's update addresses the issue by performing additional download validation so that the user is warned or the download is not automatically opened.