Apple OS X patches out

Published: 2006-08-01
Last Updated: 2006-08-01 23:28:47 UTC
by Arrigo Triulzi (Version: 2)
0 comment(s)
Time to run Software Update for OS X users... Security update 2006-004 is out!

The patch clocks in at around 8.5 Mbyte (Intel) or 5.5 Mbyte (PPC) and covers a lot of vulnerabilites. The bold ones are critical (remote code execution):
  • more authentication issues with AFP (the good ol' Mac file-sharing protocol),
  • an interesting increase in the length of the Bluetooth auto-generated passkey for pairing (from six to eight characters),
  • dynamic linker update (probably the "usual" trickery involving LD_PRELOAD which has been applied successfuly to many Unix systems in the past)
  • gunzip file permission issues and overwriting files with the -N option,
  • Bom decompression executing malicious code,
  • more image viewer trouble with Canon RAW format (malicious code execution, again),
  • same as above but with GIFs,
  • same as above but with TIFFs,
  • Safari troubles with Javascript,
  • OpenSSH DoS attack when someone tries brute-forcing usernames (this is a regression bug since apparently it only affects 10.4 upwards),
  • the good ol' "telnet hands out environment variables to servers" now hitting OS X's telnet client,
  • Webkit giving access to de-allocated objects,
  • fetchmail with lots of stuff including arbitrary code execution when downloading from a malicious POP3 server,
  • and finally DHCP (bootpd actually) giving nice access with a malformed query.
My initial reaction to most of this is "haven't we seen this before?" because quite frankly most of the holes above have been seen in older *nixes a while back (the telnet one was a classic, not to mention the LD_PRELOAD trickery).

Although we aren't aware of any exploits we recommend upgrading immediately since there are so many remote code execution vulnerabilities.

Now the problem is that your Handler on Duty can't apply the patches until he's done with the shift...

Update: exploits for the fetchmail vulnerability are already available.
0 comment(s)


Diary Archives