Forgot your password?
typodupeerror
OS X Security Upgrades Apple

Apple Patches Massive Holes In OS X 246

Posted by timothy
from the well-it-wouldn't-be-polite-to-patch-windows dept.
Trailrunner7 writes with this snippet from ThreatPost: "Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities. The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site." Hit the link for a list of the highlights among these fixes.
This discussion has been archived. No new comments can be posted.

Apple Patches Massive Holes In OS X

Comments Filter:
  • Twelve? (Score:5, Informative)

    by Spyware23 (1260322) on Wednesday January 20, 2010 @05:32PM (#30837956) Homepage

    Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:

    Security Update 2010-001

    *

    CoreAudio

    CVE-ID: CVE-2010-0036

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

    Impact: Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.

    *

    CUPS

    CVE-ID: CVE-2009-3553

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

    Impact: A remote attacker may cause an unexpected application termination of cupsd

    Description: A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination. This issue is addressed through improved connection use tracking.

    *

    Flash Player plug-in

    CVE-ID: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

    Impact: Multiple vulnerabilities in Adobe Flash Player plug-in

    Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb09-19.html [adobe.com] Credit to an anonymous researcher and Damian Put working with TippingPoints Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global Security Research Team, Will Dormann of CERT, Manuel Caballero and Microsoft Vulnerability Research (MSVR).

    *

    ImageIO

    CVE-ID: CVE-2009-2285

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8

    Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2.

    *

    Image RAW

    CVE-ID

    • Re:Twelve? (Score:5, Insightful)

      by mjschultz (819188) on Wednesday January 20, 2010 @05:35PM (#30838010) Homepage

      Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?

      The Flash update is actually 7 vulnerabilities.

      • Re:Twelve? (Score:5, Insightful)

        by Graff (532189) on Wednesday January 20, 2010 @05:48PM (#30838262)

        The Flash update is actually 7 vulnerabilities.

        Moral of this story:
        Avoid Flash and you can cut the amount of vulnerabilities approximately in half!

        • Avoid Flash and you can cut the amount of vulnerabilities approximately in half!

          Either "cut the amount of vulnerability in half" or "cut the number of vulnerabilities in half". Avoid count noun mismatch. [wikipedia.org]

          • by Graff (532189)

            Either "cut the amount of vulnerability in half" or "cut the number of vulnerabilities in half". Avoid count noun mismatch.

            Good call, I thought it sounded awkward but I didn't have time to rephrase it. Thanks!

    • The SSL vulnerability is somewhat disturbing. Read the date on the linked article.

    • by ekhben (628371)

      May all of OS X's "massive holes" be so insignificant to me.

      The most concerning is the TIFF vulnerability; fortunately that's a 10.5 issue, not a 10.6 issue. The second most concerning is the SSL vulnerability, but I've not trusted SSL alone for a while now. Still tossing up throwing out Firefox's trust anchor code and replacing it with an SSH style known-hosts setup... but the FF code is a total dog to work with. And I don't care. Mostly, I guess, I don't care. Thank you, my bank, for two-factor aut

  • by Anonymous Coward on Wednesday January 20, 2010 @05:32PM (#30837962)

    The Apple commercials have told me that viruses and security holes are only possible in Windows, so I gather they are patching boot camp installs now

    • Re: (Score:3, Insightful)

      by recoiledsnake (879048)

      It's interesting that many of these(like the image exploits) can be triggered by just browsing to a website(like the IE6/Google/China fiasco) or by mp4 audio/video files. Where are all the 'LOL M$ can't code' posters here?

    • by Anonymous Coward on Wednesday January 20, 2010 @06:12PM (#30838672)

      No - the Apple commercials tell you that viruses are a problem for Windows. Viruses tend to find MacOS too arrogant an environment to survive in.

    • Re: (Score:2, Funny)

      by gig (78408)

      It's viruses that are only possible on Windows. All operating systems have security holes, but only Microsoft systems get viruses. The Apple commercials very clearly refer only to viruses. The PC sneezes and acts like he has a cold, he's caught something, and the Mac can't catch it from him, he's immune to the viruses. Security holes are not covered at all.

  • A refund? (Score:5, Funny)

    by Monkeedude1212 (1560403) on Wednesday January 20, 2010 @05:34PM (#30837988) Journal

    The only hole I want Apple to fix is the one they put in my wallet.

  • Sometimes newer isn't better.

  • image format bugs (Score:4, Informative)

    by phantomfive (622387) on Wednesday January 20, 2010 @05:50PM (#30838290) Journal
    Two bugs were found in their image libraries (arbitrary code execution bugs in TIFF and RAW-DMG). Makes me wonder if they even tested their image libraries at all when they were being written, because that kind of bug can usually be found in an image library by feeding it random data.
    • Re: (Score:3, Interesting)

      by TrancePhreak (576593)
      Other companies got hit by those a long time ago and have since patched up their image libraries. Apple must have ignored it then and is now paying the price.
    • by eulernet (1132389)

      A few years ago, when Microsoft's Windows source code was leaked, a hacker found a problem in the handling of the standard BMP format (IIRC, it was an integer that was not considered signed, and it contained the size of the picture), which could allow arbitrary code execution.

      What bothers me is that Apple's developers don't check if they have the same problems as their direct competitor.

    • Re: (Score:2, Insightful)

      by DJCouchyCouch (622482)

      Using random data doesn't work if some structured data needs to be read first.

      So you need non-random random data. :)

      • But computers can't generate truly random data, it's always at least partially procedurally generated. Thus, any data from a computer you feed to it is non-random random data :p

      • Actually, if you are debugging an image parser library, I advocate commenting out all the obvious fails (like, this file doesn't have the right magic number, it's not a GIF) and then feeding the thing pure random data, seeing how it handles it. You never know what kind of bug might turn up. Of course you'll want the non-random random data as well, but the random random stuff is useful.
    • by drinkypoo (153816)

      These sophomoric no-input-sanitization errors are the most common kind. didn't apple make one before with the iPhone and SMS or something? We've seen cellphones that don't check to make sure bluetooth data is valid. Firewire is a big mess because the hardware permits access to things it shouldn't.

      • Re: (Score:3, Insightful)

        by phantomfive (622387)
        I don't know if you've ever written an image parser before, but sanitizing the data before you parse it can be really hard. If you think about it, the data itself can be almost random, considering a picture can be almost anything. To do a good job validating the data, you would almost have to re-implement the parser itself.

        Not saying they shouldn't have caught these bugs, but it's a little harder than just validating the data as it comes in.
    • Re:image format bugs (Score:5, Informative)

      by Archaemic (1546639) on Wednesday January 20, 2010 @09:53PM (#30841186)

      Actually, I personally found and patched the TIFF bug. In January. Of last year. http://bugzilla.maptools.org/show_bug.cgi?id=1985 [maptools.org]
      Feeding random data (aka fuzzing) might work, but 99% of the time, I'd imagine it'd just give you a corrupted image and bail out. You have to be clever about how you search for it. I found a known vulnerability patch posted by, of all people, an Apple employee, and tried to reverse engineer what he'd fixed. I found that the patch hadn't been applied on old version of the PSP system software, which is what I was targeting. After messing with this specific attack vector, I noticed that I could still crash system software version that did have the patch. After reading up on LZW compression (which is what part of LibTIFF had the vulnerability) and the TIFF specification of how they implemented LZW, I realized that the Apple patch was incomplete--it only tested for one value you could give it that was erroneous. By simply changing the equality they used (in two places) to an inequality, I tested for all erroneous values. Meanwhile, I tried to exploit the new unpatched vector on the PSP so that I could inject code. Failing this, I decided the best course of action was to submit a bug report to LibTIFF. It might seem a tad unethical to try and exploit the bug before reporting it, but I wasn't trying to exploit in for malicious purposes, and not on a desktop operating system. Regardless, I failed to make it do more than crash the PSP. Surely the best course of action here would be to patch it upstream before anyone else found it. (Incidentally, this "arbitrary execution" this is blown out of proportion. In its current state, it is extremely unlikely that it could provide ANY code execution. Just crashing. Although I don't know if it's IMPOSSIBLE for it to execute code with this vulnerability, it would take a lot of work to get anything valuable out of this. Mostly it's a DoS. They usually just attach "arbitrary execution" when there's even the vaguest possibility for code to be executed, regardless of whether or not such an exploit has been demonstrated.)

      It, um, took a while for anyone to notice the patch. In fact, the only reason anyone did notice was because someone found some of the fruit of my research into this bug and then posted a link to the research in a new bug report. Funnily, they created a different patch, which, instead of preventing the infinite loop caused by the erroneous data, just tested to see if the loop was writing out of bounds. Perhaps both approaches should be used together. Defensive programming and all that. Regardless, I noticed this new bug report shortly afterward it was posted and pointed them back to the inexplicably ignored old bug report. Most Linux vendors applied the patch shortly after the new bug report was filed, but Apple lagged by a number of months, until 10.6.2 came out. This update backports the fix into 10.5.x. However, I've found that some projects (such as Qt) are still using ancient versions of LibTIFF that have had numerous bug and security fixes since they were last updated in the projects' trees. While Qt does try to use the system's version of Qt if it can, it's still kind of scary to think about what could happen if it falls back on its own version, as I've seen it do before when I try my "corrupted" TIFF on things like Arora.

      Incidentally, I am TAing a computer security course this semester. I guess previous experience helps.

      • Wow, you went through all the effort of learning LZW compression solely because of an Apple patch? That is ambitious.
  • by His Shadow (689816) on Wednesday January 20, 2010 @06:39PM (#30839078) Homepage Journal
    Has anyone driven a truck thru these gaping holes? Anyone? Beuller? When OSX is suffering from a deluge of viruses from all these supposed gaping holes in it's Architecture, please come back and let us know. Because while every operating system has vulnerabilities, only Microsoft was kind enough to make those vulnerabilities accessible by system wide scripting mechanisms that allowed millions of computer users the world over be the subject of attacks from the hundreds of thousands of pieces of malware constantly fighting to infect Windows PCs. The count (for those who think a security vulnerability makes Apple's points about viruses invalid) is about one hundred thousand to 0. This is being very generous. So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.
    • by smash (1351)
      Whilst I'm a mac user/fanboi and agree with most of your post - I'm sure there must be some vulnerabilities being exploited for MacOS out there somewhere. It ships with Apache, and a heap of BSD userland tools ffs. I'd say there are no commonly encountered viruses on MacOS... not necessarily NONE.
    • So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.

      As a matter of Fact, there ARE viruses for Mac OS X.

      OS X uses various parts of the FreeBSD Security Framework and Filesystem.

      They have viruses for FreeBSD that base their attacks on those parts, and it has been proven that they work just as well on a Mac as they do on that flavour of Linux.

      Just because Mac users are not affected by the hordes of windows viruses that they catch (and yes, Macs catch the same viruses as Windows, they merely can't operate because they were designed to run on Windows) - doesn't

    • Re: (Score:2, Insightful)

      You most have missed all the reports on the virus spread through torrents for Photoshop CS4 and iLife. [atomicsub.net]
      • Re: (Score:3, Insightful)

        by mario_grgic (515333)

        Except you kids need to read on what people mean when they say a "virus". Hint: it's not the same thing as malware that user has to install themselves, and you need to rely on social engineering techniques to get them to install your malware for you (in the above case the lure of free Photoshop installation), etc.

  • "MASSIVE"? (Score:3, Interesting)

    by jjoelc (1589361) on Wednesday January 20, 2010 @07:57PM (#30840108)

    I just wonder why the summary title says "MASSIVE holes..." when the original article "serious".. a bit of bias, perhaps??

    More realistically, this is just another security update. Find me an OS that doesn't have them, and for similarly "obvious" or "easily found/fixed" (hindsight and armchair hacking being perfect of course) and I'll either switch right away, or dust off the old TRS-80 from my closet to run it on.

    The way I see it, if you have a brain and use it while browsing, you are generally fine. But people are stupid. And if you are going to market your product to stupid people, you need to make sure you do everything you can to minimize the damage stupid people can do to others. (Stupid people generally deserve their own damages...)

    Now to start the debate over which company is more in the business of marketing to stupid people...

"For the man who has everything... Penicillin." -- F. Borquin

Working...