Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Updates, Notices for Mac OS X

Posted by pudge on from the happy-update-monday dept.

Myrrh writes "eEye reports they discovered a heap overflow in QuickTime 6.5, which 'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' Now's a swell time to visit Apple and download the updates for both programs." Also, Apple today released Security Update 2004-05-03, which includes updates for AFP Server, CoreFoundation, and IPSec, and is, like the QuickTime 6.5.1 update, available via Software Update.

74 comments

  1. In fairness, though by mkavanagh2 · · Score: 5, Funny

    Mac OS X does get less security problems than any other OS..perhaps apart from BeOS, but I think we can guess why BeOS doesn't get holes found ;)

    1. Re:In fairness, though by prockcore · · Score: 5, Funny

      I think we can guess why BeOS doesn't get holes found

      Is it because no one is able to get their ethernet cards to work under BeOS?

    2. Re:In fairness, though by DAldredge · · Score: 2, Insightful

      Only if you leave out MVS.

  2. Hmm... by hookedup · · Score: 5, Funny

    'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' damn that apple, even their exploits are reliable!? i'm really thinking about making the switch..

    1. Re:Hmm... by ariel5000 · · Score: 5, Funny

      I don't know about you, but i think that the only reliable things about Windows are the exploits.

    2. Re:Hmm... by Anonymous Coward · · Score: 1, Interesting

      Reliable? No way man, haven't you read how blaster and sasser etc work? Half the time they go infect other computers, half the time they just crash and reboot the machine.

  3. when will karma whores stop by Anonymous Coward · · Score: 2, Funny

    stealing the first posts of honest american slashdot trolls, you insensitive clod!

  4. Guinea Pig? Not Me by PedanticSpellingTrol · · Score: 2, Funny

    I think I'll wait a while before downloading these patches, Apple seems to have a bit of a history of b0rking things with them, like that iTunes patch that came a while back. Oh, and I don't have a mac yet;-(

    1. Re:Guinea Pig? Not Me by mj_1903 · · Score: 1
      Kinda reminds me of Microsoft's history really, especially when they try and fix 14 exploits in one super patch.

      On the other hand, I know people in Apple, and I know the security updates are given a firm shaking down before they are released into the wild, even the Jaguar updates.

  5. Windows version, not Mac OS. by chrismear · · Score: 2, Informative

    The heap overflow vulnerability mentioned here only applies to the Windows version of the Quicktime player, not the Mac OS version.

    See here (section IV), or here, or here.

    1. Re:Windows version, not Mac OS. by hard-mac · · Score: 5, Informative
      This quicktime heap overflow vulnerability does affect OSX :

      eeye.com advisory

      It was fixed in a seperate Quicktime update released last friday:

      http://www.macsecurity.org/node.php?id=141

    2. Re:Windows version, not Mac OS. by prockcore · · Score: 4, Interesting

      The heap overflow vulnerability mentioned here only applies to the Windows version of the Quicktime player, not the Mac OS version.

      Actually, that's a completely seperate vulnerability. The one talked about here is the one discovered by eEye and not the one discovered by iDefense.

      This is not suprising, just 1 month ago I mentioned that quicktime was vulnerable to buffer overflows left and right because there is absolutely no input validation done. I was flamed for saying that, but here we have 3 different buffer overflows patched all at once.

    3. Re:Windows version, not Mac OS. by chrismear · · Score: 2, Informative

      Whoops. You're right. Thanks hard-mac and prockcore. Mod grandparent down. ;)

      This'll teach me to try and read tech articles in the early hours of the morning...

    4. Re:Windows version, not Mac OS. by Anonymous Coward · · Score: 0

      But wasn't QT6.5.1 updated when the last iTunes was relased... me thinks so...

  6. Who finds these security holes? by amichalo · · Score: 4, Interesting

    Mod this a -1 STUPID but who finds most of these security flaws?

    No matter if it's OS X, Windows, or Linux, there are always these security fixes popping up. I assume there is a QA team that is working on this stuff but unless there is a vulnerability that manifests itself in the form of a virus or hacked system, who finds these things and why were they looking in the first place?

    --
    I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
    1. Re:Who finds these security holes? by NivenHuH · · Score: 4, Informative

      .. Security consultants.. students.. developers.. hobbyists.. hackers (white hat or black hat).. etc..

      --
      Just when you make it idiotproof, some idiot builds a better idiot.
    2. Re:Who finds these security holes? by mr_burns · · Score: 1

      can we please stop using the white/black hat nomenclature?

      Hackers are people just like everybody else. Nobody is 100% good or evil. We make choices for the same reasons and feelings as everybody else. Have you ever heard of a black hat janitor? Chef? Architect?

      Of course not. This black/white hat nonsense objectifies, polarizes and just fuels prejudice towards us. We need people to get to know us as individuals and make up their own minds, not give them a way of pidgeon holing and prejudging us.

      --
      "Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
    3. Re:Who finds these security holes? by Anonymous Coward · · Score: 0

      That's the point of the term, dumbass.

      One can change your role as easily as changing your hat.

  7. What can I say? by photoblur · · Score: 3, Funny

    I guess Macs are just more reliable computers all around...

    *ducks*

  8. Apple email by blb · · Score: 5, Informative

    See Apple's email for info and links to the downloads.

  9. AFS server issue is a remote root vulnerability by weld · · Score: 5, Informative

    If you have AFS turned on, patch now.

    @Stake Security Advisory

    Advisory Name: AppleFileServer Remote Command Execution
    Release Date: 05/03/2004
    Application: AppleFileServer
    Platform: MacOS X 10.3.3 and below
    Severity: A remote attacker can execute arbitrary
    commands as root
    Authors: Dave G.
    Dino Dai Zovi
    Vendor Status: Informed, Upgrade Available
    CVE Candidate: CAN-2004-0430
    Reference: www.atstake.com/research/advisories/2004/a050304-1 .txt

    Overview:

    The AppleFileServer provides Apple Filing Protocol (AFP) services for
    both Mac OS X and Mac OS X server. AFP is a protocol used to
    remotely mount drives, similar to NFS or SMB/CIFS. There is a
    pre-authentication, remotely exploitable stack buffer overflow that
    allows an attacker to obtain administrative privileges and execute
    commands as root.

    Details:

    The AppleFileServer provides Apple Filing Protocol (AFP) services
    for both Mac OS X and Mac OS X server. AFP is a protocol used to
    remotely mount drives, similar to NFS or SMB/CIFS. AFP is not
    enabled by default. It is enabled through the Sharing Preferences
    section by selecting the 'Personal File Sharing' checkbox.

    Thereis a pre-authentication remotely exploitable stack buffer
    overflow that allows an attacker to obtain administrative
    privileges. The overflow occurs when parsing the PathName argument
    from LoginExt packet requesting authentication using the Cleartext
    Password User Authentication Method (UAM). The PathName argument
    is encoded as one-byte specifying the string type, two-bytes
    specifying the string length, and finally the string itself. A
    string of type AFPName (0x3) that is longer than the length declared
    in the packet will overflow the fixed-size stack buffer.

    The previously described malformed request results in a trivially
    exploitable stack buffer overflow. @stake was able to quickly
    develop a proof-of-concept exploit that portably demonstrates this
    vulnerability across multiple Mac OS X versions including Mac OS X
    10.3.3, 10.3.2, and 10.2.8.

    1. Re:AFS server issue is a remote root vulnerability by sld126 · · Score: 2, Insightful

      Interesting that AFP has a remote root exploit, considering you can't even log in as root via AFP. Admin yes, root no, not in any version of OS X.

      I'm not calling bullshit, but the air smells kind of funny here...

      --
      You're just jealous because the voices only talk to me.
    2. Re:AFS server issue is a remote root vulnerability by weld · · Score: 5, Informative

      The AFP process runs as root so when the stack overflows you can run code as root. AFP wisely won't let you authenticate as roote even though it is running as root.

      Make sense?

      -weld

    3. Re:AFS server issue is a remote root vulnerability by sld126 · · Score: 2, Insightful

      So, if you use the GUI as the remote login, you can't. But if you use mount_afp with an oversized login name, you can?

      --
      You're just jealous because the voices only talk to me.
    4. Re:AFS server issue is a remote root vulnerability by weld · · Score: 3, Informative

      To exploit this you need to code up your own client. It has to do with overflowing the password field by sending invalid packets. You can't do this with any of the standard clients.

      -weld

    5. Re:AFS server issue is a remote root vulnerability by HSpirit · · Score: 4, Informative

      Wow, that's a pretty severe vulnerability to make it through Apple's QA processes...

      As the previous poster intimates, without an intervening firewall, if you've got AFP turned on (and probably any workgroup of 2 or more Macs would) you're hosed.

      A further issue with this is that the inbuilt GUI firewall front-end provided by Apple is brain-dead in that it doesn't allow you to configure per interface rules. This means that if you want a dual-homed Mac acting as a gateway to share files on its internal interface, the external interface is left vulnerable.

      The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.

      It's been this way since Jaguar (10.2) and I sincerely hope that Apple fix this in 10.4 otherwise - with vulnerabilities like this - its reputation for security over its Windows rivals will be sorely tested.

    6. Re:AFS server issue is a remote root vulnerability by fyonn · · Score: 4, Informative

      fyi: it also only firewalls TCP. UDP is left completely unfirewalled, presumeably to make ichatav easier to deal with.

      for the most part, there is little listening on a mac to be exploited even if you run with no wall so usually it's not the biggest of issues.

      dave

    7. Re:AFS server issue is a remote root vulnerability by wkcole · · Score: 4, Informative
      The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.

      Actually, it's slightly simpler than this. You can add rules via the command line interface or via other tools and the Apple firewall config panel simply becomes non-functional with a note added that other firewall software is in use. IOW: no need to explicitly turn the Apple GUI off.

    8. Re:AFS server issue is a remote root vulnerability by Mattbot23 · · Score: 1

      For the record, the root user can login to AFP if one enables root login in the NetInfo database.

      Look in the local NetInfo /config/AppleFileServer/ at the allow_root_login property. If it is set to 1 instead of 0 then the root user may use AFP. It's best to leave it at 0 but one doesn't have to do so.

  10. bad updates by Anonymous Coward · · Score: 4, Funny

    so what are these updates going to break? let's start a pool.

    1. Re:bad updates by 47Ronin · · Score: 2, Insightful

      I've run security updates on dozens of Macs over the last two years and have yet to see one break anything. This isn't like Microsoft Windows, y'know

      --
      Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
    2. Re:bad updates by sld126 · · Score: 3, Funny

      It always makes me laugh when windoze people switch.

      "It didn't say to reboot, but I'd feel better"
      "Yes, I need to install everything, even if I never buy an iSight"

      I just stand amazed that they've been so abused that they don't know anything better.

      --
      You're just jealous because the voices only talk to me.
    3. Re:bad updates by Anonymous Coward · · Score: 0

      It's been known to happen, but rarely. It isn't Windows.

    4. Re:bad updates by Anonymous Coward · · Score: 0

      Speaking of which, we have now documented several major bugs released with the combination of Final Cut Pro HD and the Quicktime update...although nothing as compromising as the heap overflow.

      As for "what can they break"...er, dude...Quicktime runs as root in X...The answer to that would be "EVERYTHING!!!!" If you can cause a heap overflow in a program running as root you can inject code after the crash that also executes as root...serious stuff.

      Would anyone exploit it? Only if it wasn't fixed (on ANY platform).

      If you haven't run the updates yet, wait until next week when we release the other patches if you use FCP...

    5. Re:bad updates by dthree · · Score: 2, Interesting

      I ran the updater on 2 macs at home and now I can't file share between them at all, cool! Now THAT is security!

      I'm afraid of doing the update on my g5 office mac. I can't afford to loose filesharing, but now that the exploit is "published" all kinds of lemurs are gonna be trying to find the unpatched macs to exploit.

      --
      "I forgot my mantra."
    6. Re:bad updates by falcon5768 · · Score: 1
      I think the poster was making a bad breaks programs Apple doesnt want you to run joke...

      Like how iTunes got rid of the programs that bypassed fairplay protected files

      As for REALLY braking things, the only one that ever kicked my ass was the infamous iTunes 2 download that destroyed some macs that got pulled in the first 10 minutes

      --

      "Slashdot, where telling the truth is overrated but lying is insightful."

    7. Re:bad updates by lullabud · · Score: 3, Insightful
      Please show one Windows update that erased your entire hard drive (like iTunes), or prevented it from booting (like iTunes for Windows and one OS-X update), or any of the other SEVERE issues that Apple continually has with updates.
      It was either the IE 5 or IE 5.5 update on win98 that corrupted the OS so that it needed to be reloaded. When I worked at Gateway we told people NOT to update their browsers if they weren't having problems because we were sick of having to FFR (Fdisk, Format, Reload) people's systems when the patch made their systems unbootable.
    8. Re:bad updates by lullabud · · Score: 2, Interesting
      I've run security updates on dozens of Macs over the last two years and have yet to see one break anything. This isn't like Microsoft Windows, y'know
      contrarily, i've been using mac's for just over a year now and i've had one update install an ethernet driver that didn't work, and another update kernel panic my system into an unbootable state. however, i have to say that fixing these problems was way easier than anything i've seen in all the years i've been working on windows boxen.
    9. Re:bad updates by Anonymous Coward · · Score: 0

      So there was one back in the Win98 days? Wow. Sounds like they really set a precedent there. I guess when Apple releases these every other month or so that cause major system disabling/data destroying problems, we can all point and laugh and go OMG!!! IT IS SO WINDOWS!1!!! MICORSORFT IS TEH SUXORS!!1!

  11. Anyone else have this problem with QT for Win? by c0d3h4x0r · · Score: 2, Interesting

    Every time QT for Windows tries to paint the annoying "register now or later" splash-screen/pop-up, it immediately crashes. This is on Windows 2003 server with a Matrox G450 Dual-Head video card running the latest Matrox video drivers. This has been happening for me with the entire 6.x series of QuickTime for Windows.

    Is anyone seeing this? Apple must not bother to ask Microsoft for the Windows Error Reporting data on QuickTime, because I've only submitted error reports on this crash about a bazillion times now.

    --
    Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
    1. Re:Anyone else have this problem with QT for Win? by Anonymous Coward · · Score: 2

      Have you tried turning off hardware acceleration in the Quicktime control panel?

    2. Re:Anyone else have this problem with QT for Win? by Anonymous Coward · · Score: 0

      what the fuck are you doing running quicktime on a server ? are you stupid ?

    3. Re:Anyone else have this problem with QT for Win? by Dahan · · Score: 0, Flamebait

      Some people think it's l33t to be running a warezed copy of a server OS as their desktop system. Why does a server need a dual-head setup? My server doesn't even have a monitor...

    4. Re:Anyone else have this problem with QT for Win? by fyonn · · Score: 2, Insightful

      perhaps he's doing server development on his desktop? just cos he's running a server version of the OS doesn't mean his machine is actually the PDC and should be locked away in a room. maybe there is some feature in the server version he needs on his desktop. it's not like it doesn't make an acceptable desktop (assuming you're a windows fan)

      dave

    5. Re:Anyone else have this problem with QT for Win? by fr0dicus · · Score: 1

      Why would you *ever* need to run Quicktime client on a server?

    6. Re:Anyone else have this problem with QT for Win? by Jeremy+Erwin · · Score: 2, Insightful

      The difference between a workstation and a server is an artificial one-- a marketer's delineation, designed to extract the largest amount of cash out of a customer base.

      Sorry. If you want the extra CPU utilized, buy the server edition. If you want to serve files to more than 5 users, buy the server edition. If you want to host a database, buy the server edition.

      The limitations are enough to make someone try linux-- where the border between server and workstation is a bit more fluid.

    7. Re:Anyone else have this problem with QT for Win? by c0d3h4x0r · · Score: 1

      I do development work and our target platform is Windows 2003 Server. So that's what I have to run as my development desktop.

      Are you stupid, or just an ass hole?

      --
      Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
    8. Re:Anyone else have this problem with QT for Win? by fyonn · · Score: 1

      Why would you *ever* need to run Quicktime client on a server?

      *sigh* because he may be running the server version of the OS as a desktop. why is there a difference between "server" and "desktop"? it's purely artificial by OS vendors. if there is a featre he needs on his desktop that only the server version allows then why should he not run the server version as a desktop OS?

      when there is a "server" version of an OS, it's usually the desktop one with some restrictions removed and the price multiplied. that's all

      dave

  12. Mac OS X Just Crashed by gooru · · Score: 1

    Right after I rebooted after installing the security update, Mac OS X started up and then showed the gray kernel panic screen after I logged in. I rebooted again, and it appears to be running fine, though I'll probably run Disk First Aid soon.

    1. Re:Mac OS X Just Crashed by ChaosWing · · Score: 2, Interesting

      Oddly enough, my Powerbook did the same thing as I was starting it up for the *sole purpose* of installing the update.

  13. At least one update went well by jubitzu · · Score: 2, Informative

    I see that fear and panic has ensued over Apple's latest updates. Well it went well on my 10.3.3 system and has not yet affected any other programs. I think, therefore iMac. - Highly unoriginal

    1. Re:At least one update went well by Anonymous Coward · · Score: 0

      I think, therefore iMacDaddy

      Pimp, Joe, Pimp

  14. Uh oh by fr0dicus · · Score: 2, Interesting

    My girlfriends iBook G4 (about two weeks old!) kernel panic'd in the Optimization stage of the update..... had to power button it, and now the spinning boot logo displays forever.... archive reinstall time?

    1. Re:Uh oh by Anonymous Coward · · Score: 0

      I'd say call Apple time.

    2. Re:Uh oh by lullabud · · Score: 2, Insightful

      If you boot to the OS X install CD there will be an "Options" button that you can check which will give you the option to move the old system to a different folder, install a new system and then re-import all the user-specific settings that you had previously.

      Windows never had an reinstall option like that...

    3. Re:Uh oh by fr0dicus · · Score: 1

      Yep, just finished doing that. Not a nice time to get a kernel panic on the whole.

  15. the update reset my Mail prog and erased my mail by RagingDaigo · · Score: 1

    my Mail program is completely wiped and reset wtf??? this happen to anyone else?

  16. Re:the update reset my Mail prog and erased my mai by RagingDaigo · · Score: 1

    and before anyone suggests importing my old mailboxes, that's not the problem.... they're there under username\library\Mail but are completely empty now!

  17. Detail?? by -tji · · Score: 2, Interesting

    Is there any more thorough source of information on the nature of the changes in the security update?

    For example, what IPSec changes were made?

    1. Re:Detail?? by Anonymous Coward · · Score: 0

      There will be (or is already) an updated version of the KBase article that lists all the security updates and what exactly they fixed (with all o' them there CAN things). Do a search. :-)

  18. heap overflows -- how does this work? by sdedeo · · Score: 1
    OK, it's time for that "what's a spline" question -- how do these things actually work?

    I understand how to confuse the computer -- give it a sufficiently large "number of entries" such that (n+2)*16 is larger than (2^m-1).

    But how does overwriting the rest of memory allow you to gain control? Surely the "execution" pointer -- where the computer is looking next for an instruction -- is in some unpredictable place relative to the code you've written in to the heap? Is this just a way to crash the machine as I do if I accidentally reference a memory position I haven't allocated?

    Do you just wait and hope that the pointer ends up in your patch of overwritten memory, and write your malicious code so that you can make sure it never leaves your space? Or is there some way to trick the machine into sending the execution pointer directly to your chunk of code?

    --
    Protect your liberties. Donate to the ACLU
    1. Re:heap overflows -- how does this work? by beattie · · Score: 2, Informative

      It's not really at some "unpredictable" place.
      l0pht article

    2. Re:heap overflows -- how does this work? by Anonymous Coward · · Score: 0

      The quicktime overflow error won't let someone gain any control, the most that'll happen will be that quicktime would quit.

  19. Why do we have these security holes? by TubeSteak · · Score: 1
    *Note: I have 0 (zero) programming talents*
    But why do we still have buffer overflows. Maybe i've got the wrong impression, but i thought that overflows were a trivial issue to fix & equally as simple to avoid. Call me ignorant if you'd like (though a decent non-flaming response would be better) but how super-simple testing isn't standard practice?

    I RTFG (RTF Google) and the third article down (watch out, its a pdf) says bounds checking is usually turned off 'in the name of efficiency'. How hard is it for any programmer to run his source through a prog that checks for stupid stuff like this? My favorite part of this kid's paper has to be this:

    An alternate approach is to test programs. A tool called Fuzz was used to test standard UNIX utilities by giving them input consisting of large, random streams of characters[17]. 25-33% of the programs crashed or hung.
    --
    [Fuck Beta]
    o0t!
  20. The farmer's security watchdog? by gryphokk · · Score: 2, Funny

    eEye?

    eEye?

    Oh.

    --
    And you, madam, are very ugly. In the morning, I shall be sober.
    1. Re:The farmer's security watchdog? by Anonymous Coward · · Score: 0

      Oh.... your sooo funny.

    2. Re:The farmer's security watchdog? by Anonymous Coward · · Score: 0

      nelly right, dat right. E I E I UH OH

      at least that's how i read it.
      p3