Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Apple OS X patches out - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple OS X patches out
Time to run Software Update for OS X users... Security update 2006-004 is out!

The patch clocks in at around 8.5 Mbyte (Intel) or 5.5 Mbyte (PPC) and covers a lot of vulnerabilites. The bold ones are critical (remote code execution):
  • more authentication issues with AFP (the good ol' Mac file-sharing protocol),
  • an interesting increase in the length of the Bluetooth auto-generated passkey for pairing (from six to eight characters),
  • dynamic linker update (probably the "usual" trickery involving LD_PRELOAD which has been applied successfuly to many Unix systems in the past)
  • gunzip file permission issues and overwriting files with the -N option,
  • Bom decompression executing malicious code,
  • more image viewer trouble with Canon RAW format (malicious code execution, again),
  • same as above but with GIFs,
  • same as above but with TIFFs,
  • Safari troubles with Javascript,
  • OpenSSH DoS attack when someone tries brute-forcing usernames (this is a regression bug since apparently it only affects 10.4 upwards),
  • the good ol' "telnet hands out environment variables to servers" now hitting OS X's telnet client,
  • Webkit giving access to de-allocated objects,
  • and finally DHCP (bootpd actually) giving nice access with a malformed query.
My initial reaction to most of this is "haven't we seen this before?" because quite frankly most of the holes above have been seen in older *nixes a while back (the telnet one was a classic, not to mention the LD_PRELOAD trickery).

Although we aren't aware of any exploits we recommend upgrading immediately since there are so many remote code execution vulnerabilities.

Now the problem is that your Handler on Duty can't apply the patches until I'm done with my shift...
Arrigo

28 Posts

Sign Up for Free or Log In to start participating in the conversation!