Apple fixes more than a dozen OS X flaws

By Bill Brenner, Senior News Writer 02 Mar 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

In response to the numerous flaws and security scrutiny that have plagued its flagship operating system in recent days, Apple Computer Inc. has released more than a dozen fixes for a variety of Mac OS X flaws.

More on OS X security Threats don't diminish Mac's reputation Hey, Mac. Is that a worm in your Apple? Critical flaw found in Mac OS X First Mac OS X worm discovered

That flaw is due to a glitch revealed last week in how the operating system processes specially crafted resource forks and HFS metadata stored in the "__MACOSX" folder in .zip archives. The security hole affects OS X 10.4.5 and earlier versions. Attackers could exploit the flaw to execute arbitrary shell commands and compromise a vulnerable system by convincing a user to open a malicious e-mail attachment, or visit a specially crafted Web page designed to automatically exploit the vulnerability through the Safari browser.

The security hole came to light days after the operating system became the target of malicious code for the first time. The first malcode to appear was Leap, also known as Oompa. It spreads through Apple's iChat instant messaging application. The next piece of malcode, Inqtana, attempts to spread via an older Bluetooth vulnerability.

In all, Apple's latest batch of security updates address approximately 15 flaws. Among them:

• Malicious people could exploit multiple security issues in PHP 4.4 to launch cross-site scripting attacks or circumvent security restrictions.
• File servers on the local network may be able to cause Mac OS X systems to mount file systems with reserved names. Apple said this could cause the systems to become unresponsive, or possibly allow attackers to launch malicious code from file servers to run on a target system.
• The BOM framework, which handles the unpacking of certain types of archives, does so in a way that leaves the framework vulnerable to a directory traversal attack, allowing archived files to be unpacked into arbitrary locations that are writable by the current user, Apple said.
• The directory service "passwd" program is vulnerable to temporary file attacks that could lead to privilege elevation. Apple said the update addresses the issue by anticipating a hostile environment and by creating temporary files securely.
• User directories are mounted in an unsafe fashion when a FileVault image is created. The update secures the method in which a FileVault image is created, Apple said.
• Incorrect handling of error conditions for virtual private networks based on IPSec may allow a remote attacker to cause a service interruption. Apple said this update addresses the issues by correctly handling the conditions that may cause crashes.
• An attacker could cause an application to make requests for large amounts of memory and may also be able to trigger a heap buffer overflow. This could cause the targeted application to crash or execute arbitrary code. This update addresses the issue by correctly handling these memory requests, Apple said.
• In Mac OS X v10.4 Tiger, when an e-mail attachment is double-clicked in Mail, download validation is used to warn the user if the file type is not safe. But certain techniques can be used to disguise the file's type so that download validation is bypassed. This update addresses the issue by presenting download validation with the entire file, providing more information for the program to detect unknown or unsafe file types in attachments.
• When a Perl program, running as root, attempts to switch to another user ID, the operation may fail without notification to the program. This may cause a program to continue to run with root privileges, assuming they have been dropped. This can cause security issues in third-party tools. The update addresses the issue by preventing such applications from continuing if the operation fails.
• A heap-based buffer overflow may be triggered when the rsync server is used with the flag that allows extended attributes to be transferred. It may be possible for a malicious user with access to an rsync server to cause denial of service or code execution. This update addresses the problem by ensuring that the destination buffer is large enough to hold the extended attributes.
• A heap-based buffer overflow in WebKit's handling of certain HTML could allow a malicious Web site to cause a crash or execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow.
• By preparing a Web page including specially-crafted JavaScript, an attacker may trigger a stack buffer overflow that could lead to arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional bounds checking.
• Safari's security model prevents remote resources from causing redirection to local resources. An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions. This update addresses the issue by preventing cross-domain HTTP redirects.
• It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious Web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public Web sites that demonstrates the automatic execution of shell scripts. Today's update addresses the issue by performing additional download validation so that the user is warned or the download is not automatically opened.
• Syndication (Safari RSS) may allow JavaScript code embedded in feeds to run within the context of the RSS reader document, allowing malicious feeds to circumvent Safari's security model. This update addresses the issue by properly removing JavaScript code from feeds. Syndication is only available in Mac OS X v10.4 and later.

Tags: Alternative OS security: Mac, Linux, Unix, etc.,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method Alternative OS security: Mac, Linux, Unix, etc. Research Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary