Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
OS X Businesses Operating Systems Security Upgrades Apple

Security Updates, Notices for Mac OS X 74

Myrrh writes "eEye reports they discovered a heap overflow in QuickTime 6.5, which 'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' Now's a swell time to visit Apple and download the updates for both programs." Also, Apple today released Security Update 2004-05-03, which includes updates for AFP Server, CoreFoundation, and IPSec, and is, like the QuickTime 6.5.1 update, available via Software Update.
This discussion has been archived. No new comments can be posted.

Security Updates, Notices for Mac OS X

Comments Filter:
  • by mkavanagh2 ( 776662 ) on Monday May 03, 2004 @06:11PM (#9046272)
    Mac OS X does get less security problems than any other OS..perhaps apart from BeOS, but I think we can guess why BeOS doesn't get holes found ;)
  • Hmm... (Score:5, Funny)

    by hookedup ( 630460 ) on Monday May 03, 2004 @06:14PM (#9046289)
    'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' damn that apple, even their exploits are reliable!? i'm really thinking about making the switch..
  • I think I'll wait a while before downloading these patches, Apple seems to have a bit of a history of b0rking things with them, like that iTunes patch that came a while back. Oh, and I don't have a mac yet;-(
    • Kinda reminds me of Microsoft's history really, especially when they try and fix 14 exploits in one super patch.

      On the other hand, I know people in Apple, and I know the security updates are given a firm shaking down before they are released into the wild, even the Jaguar updates.

  • The heap overflow vulnerability mentioned here only applies to the Windows version of the Quicktime player, not the Mac OS version.

    See here [idefense.com] (section IV), or here [macmegasite.com], or here [cert.org].

  • by amichalo ( 132545 ) on Monday May 03, 2004 @06:25PM (#9046373)
    Mod this a -1 STUPID but who finds most of these security flaws?

    No matter if it's OS X, Windows, or Linux, there are always these security fixes popping up. I assume there is a QA team that is working on this stuff but unless there is a vulnerability that manifests itself in the form of a virus or hacked system, who finds these things and why were they looking in the first place?
    • by NivenHuH ( 579871 ) * on Monday May 03, 2004 @08:55PM (#9047497) Homepage
      .. Security consultants.. students.. developers.. hobbyists.. hackers (white hat or black hat).. etc..
      • can we please stop using the white/black hat nomenclature?

        Hackers are people just like everybody else. Nobody is 100% good or evil. We make choices for the same reasons and feelings as everybody else. Have you ever heard of a black hat janitor? Chef? Architect?

        Of course not. This black/white hat nonsense objectifies, polarizes and just fuels prejudice towards us. We need people to get to know us as individuals and make up their own minds, not give them a way of pidgeon holing and prejudging us.
    • *Note: I have 0 (zero) programming talents*
      But why do we still have buffer overflows. Maybe i've got the wrong impression, but i thought that overflows were a trivial issue to fix & equally as simple to avoid. Call me ignorant if you'd like (though a decent non-flaming response would be better) but how super-simple testing isn't standard practice?

      I RTFG (RTF Google) [google.com] and the third article down [isoc.org] (watch out, its a pdf) says bounds checking is usually turned off 'in the name of efficiency'. How hard is it fo

  • Apple email (Score:5, Informative)

    by blb ( 412923 ) on Monday May 03, 2004 @06:53PM (#9046602) Homepage
    See Apple's email [apple.com] for info and links to the downloads.
  • by weld ( 4477 ) on Monday May 03, 2004 @06:57PM (#9046638)
    If you have AFS turned on, patch now.

    @Stake Security Advisory

    Advisory Name: AppleFileServer Remote Command Execution
    Release Date: 05/03/2004
    Application: AppleFileServer
    Platform: MacOS X 10.3.3 and below
    Severity: A remote attacker can execute arbitrary
    commands as root
    Authors: Dave G.
    Dino Dai Zovi
    Vendor Status: Informed, Upgrade Available
    CVE Candidate: CAN-2004-0430
    Reference: www.atstake.com/research/advisories/2004/a050304-1 .txt

    Overview:

    The AppleFileServer provides Apple Filing Protocol (AFP) services for
    both Mac OS X and Mac OS X server. AFP is a protocol used to
    remotely mount drives, similar to NFS or SMB/CIFS. There is a
    pre-authentication, remotely exploitable stack buffer overflow that
    allows an attacker to obtain administrative privileges and execute
    commands as root.

    Details:

    The AppleFileServer provides Apple Filing Protocol (AFP) services
    for both Mac OS X and Mac OS X server. AFP is a protocol used to
    remotely mount drives, similar to NFS or SMB/CIFS. AFP is not
    enabled by default. It is enabled through the Sharing Preferences
    section by selecting the 'Personal File Sharing' checkbox.

    Thereis a pre-authentication remotely exploitable stack buffer
    overflow that allows an attacker to obtain administrative
    privileges. The overflow occurs when parsing the PathName argument
    from LoginExt packet requesting authentication using the Cleartext
    Password User Authentication Method (UAM). The PathName argument
    is encoded as one-byte specifying the string type, two-bytes
    specifying the string length, and finally the string itself. A
    string of type AFPName (0x3) that is longer than the length declared
    in the packet will overflow the fixed-size stack buffer.

    The previously described malformed request results in a trivially
    exploitable stack buffer overflow. @stake was able to quickly
    develop a proof-of-concept exploit that portably demonstrates this
    vulnerability across multiple Mac OS X versions including Mac OS X
    10.3.3, 10.3.2, and 10.2.8.

    • Interesting that AFP has a remote root exploit, considering you can't even log in as root via AFP. Admin yes, root no, not in any version of OS X.

      I'm not calling bullshit, but the air smells kind of funny here...
    • by HSpirit ( 519997 ) on Monday May 03, 2004 @09:56PM (#9047834)

      Wow, that's a pretty severe vulnerability to make it through Apple's QA processes...

      As the previous poster intimates, without an intervening firewall, if you've got AFP turned on (and probably any workgroup of 2 or more Macs would) you're hosed.

      A further issue with this is that the inbuilt GUI firewall front-end provided by Apple is brain-dead in that it doesn't allow you to configure per interface rules. This means that if you want a dual-homed Mac acting as a gateway to share files on its internal interface, the external interface is left vulnerable.

      The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.

      It's been this way since Jaguar (10.2) and I sincerely hope that Apple fix this in 10.4 otherwise - with vulnerabilities like this - its reputation for security over its Windows rivals will be sorely tested.

      • by fyonn ( 115426 ) <dave@fyonn.net> on Tuesday May 04, 2004 @02:06AM (#9048995) Homepage
        fyi: it also only firewalls TCP. UDP is left completely unfirewalled, presumeably to make ichatav easier to deal with.

        for the most part, there is little listening on a mac to be exploited even if you run with no wall so usually it's not the biggest of issues.

        dave
      • by wkcole ( 644783 ) on Tuesday May 04, 2004 @11:14AM (#9052242)
        The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.

        Actually, it's slightly simpler than this. You can add rules via the command line interface or via other tools [dyndns.org] and the Apple firewall config panel simply becomes non-functional with a note added that other firewall software is in use. IOW: no need to explicitly turn the Apple GUI off.

  • bad updates (Score:4, Funny)

    by Anonymous Coward on Monday May 03, 2004 @07:02PM (#9046682)
    so what are these updates going to break? let's start a pool.
    • Re:bad updates (Score:3, Insightful)

      by 47Ronin ( 39566 )
      I've run security updates on dozens of Macs over the last two years and have yet to see one break anything. This isn't like Microsoft Windows, y'know
      • by sld126 ( 667783 )
        It always makes me laugh when windoze people switch.

        "It didn't say to reboot, but I'd feel better"
        "Yes, I need to install everything, even if I never buy an iSight"

        I just stand amazed that they've been so abused that they don't know anything better.
      • Re:bad updates (Score:2, Interesting)

        by lullabud ( 679893 )

        I've run security updates on dozens of Macs over the last two years and have yet to see one break anything. This isn't like Microsoft Windows, y'know

        contrarily, i've been using mac's for just over a year now and i've had one update install an ethernet driver that didn't work, and another update kernel panic my system into an unbootable state. however, i have to say that fixing these problems was way easier than anything i've seen in all the years i've been working on windows boxen.

    • Re:bad updates (Score:2, Interesting)

      by dthree ( 458263 )
      I ran the updater on 2 macs at home and now I can't file share between them at all, cool! Now THAT is security!

      I'm afraid of doing the update on my g5 office mac. I can't afford to loose filesharing, but now that the exploit is "published" all kinds of lemurs are gonna be trying to find the unpatched macs to exploit.
  • Every time QT for Windows tries to paint the annoying "register now or later" splash-screen/pop-up, it immediately crashes. This is on Windows 2003 server with a Matrox G450 Dual-Head video card running the latest Matrox video drivers. This has been happening for me with the entire 6.x series of QuickTime for Windows.

    Is anyone seeing this? Apple must not bother to ask Microsoft for the Windows Error Reporting data on QuickTime, because I've only submitted error reports on this crash about a bazillion ti
    • Have you tried turning off hardware acceleration in the Quicktime control panel?
  • Right after I rebooted after installing the security update, Mac OS X started up and then showed the gray kernel panic screen after I logged in. I rebooted again, and it appears to be running fine, though I'll probably run Disk First Aid soon.
  • I see that fear and panic has ensued over Apple's latest updates. Well it went well on my 10.3.3 system and has not yet affected any other programs. I think, therefore iMac. - Highly unoriginal
  • Uh oh (Score:3, Interesting)

    by fr0dicus ( 641320 ) on Tuesday May 04, 2004 @03:00AM (#9049157) Journal
    My girlfriends iBook G4 (about two weeks old!) kernel panic'd in the Optimization stage of the update..... had to power button it, and now the spinning boot logo displays forever.... archive reinstall time?
    • Re:Uh oh (Score:2, Insightful)

      by lullabud ( 679893 )
      If you boot to the OS X install CD there will be an "Options" button that you can check which will give you the option to move the old system to a different folder, install a new system and then re-import all the user-specific settings that you had previously.

      Windows never had an reinstall option like that...
  • my Mail program is completely wiped and reset wtf??? this happen to anyone else?
  • Detail?? (Score:3, Interesting)

    by -tji ( 139690 ) on Tuesday May 04, 2004 @09:09PM (#9059427) Journal
    Is there any more thorough source of information on the nature of the changes in the security update?

    For example, what IPSec changes were made?
  • OK, it's time for that "what's a spline [faqs.org]" question -- how do these things actually work?

    I understand how to confuse the computer -- give it a sufficiently large "number of entries" such that (n+2)*16 is larger than (2^m-1).

    But how does overwriting the rest of memory allow you to gain control? Surely the "execution" pointer -- where the computer is looking next for an instruction -- is in some unpredictable place relative to the code you've written in to the heap? Is this just a way to crash the machine a

  • eEye?

    eEye?

    Oh.

Genius is ten percent inspiration and fifty percent capital gains.

Working...