Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Updates, Notices for Mac OS X

Posted by pudge on from the happy-update-monday dept.

Myrrh writes "eEye reports they discovered a heap overflow in QuickTime 6.5, which 'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' Now's a swell time to visit Apple and download the updates for both programs." Also, Apple today released Security Update 2004-05-03, which includes updates for AFP Server, CoreFoundation, and IPSec, and is, like the QuickTime 6.5.1 update, available via Software Update.

13 of 74 comments (clear)

  1. Windows version, not Mac OS. by chrismear · · Score: 2, Informative

    The heap overflow vulnerability mentioned here only applies to the Windows version of the Quicktime player, not the Mac OS version.

    See here (section IV), or here, or here.

    1. Re:Windows version, not Mac OS. by hard-mac · · Score: 5, Informative
      This quicktime heap overflow vulnerability does affect OSX :

      eeye.com advisory

      It was fixed in a seperate Quicktime update released last friday:

      http://www.macsecurity.org/node.php?id=141

    2. Re:Windows version, not Mac OS. by chrismear · · Score: 2, Informative

      Whoops. You're right. Thanks hard-mac and prockcore. Mod grandparent down. ;)

      This'll teach me to try and read tech articles in the early hours of the morning...

  2. Apple email by blb · · Score: 5, Informative

    See Apple's email for info and links to the downloads.

  3. AFS server issue is a remote root vulnerability by weld · · Score: 5, Informative

    If you have AFS turned on, patch now.

    @Stake Security Advisory

    Advisory Name: AppleFileServer Remote Command Execution
    Release Date: 05/03/2004
    Application: AppleFileServer
    Platform: MacOS X 10.3.3 and below
    Severity: A remote attacker can execute arbitrary
    commands as root
    Authors: Dave G.
    Dino Dai Zovi
    Vendor Status: Informed, Upgrade Available
    CVE Candidate: CAN-2004-0430
    Reference: www.atstake.com/research/advisories/2004/a050304-1 .txt

    Overview:

    The AppleFileServer provides Apple Filing Protocol (AFP) services for
    both Mac OS X and Mac OS X server. AFP is a protocol used to
    remotely mount drives, similar to NFS or SMB/CIFS. There is a
    pre-authentication, remotely exploitable stack buffer overflow that
    allows an attacker to obtain administrative privileges and execute
    commands as root.

    Details:

    The AppleFileServer provides Apple Filing Protocol (AFP) services
    for both Mac OS X and Mac OS X server. AFP is a protocol used to
    remotely mount drives, similar to NFS or SMB/CIFS. AFP is not
    enabled by default. It is enabled through the Sharing Preferences
    section by selecting the 'Personal File Sharing' checkbox.

    Thereis a pre-authentication remotely exploitable stack buffer
    overflow that allows an attacker to obtain administrative
    privileges. The overflow occurs when parsing the PathName argument
    from LoginExt packet requesting authentication using the Cleartext
    Password User Authentication Method (UAM). The PathName argument
    is encoded as one-byte specifying the string type, two-bytes
    specifying the string length, and finally the string itself. A
    string of type AFPName (0x3) that is longer than the length declared
    in the packet will overflow the fixed-size stack buffer.

    The previously described malformed request results in a trivially
    exploitable stack buffer overflow. @stake was able to quickly
    develop a proof-of-concept exploit that portably demonstrates this
    vulnerability across multiple Mac OS X versions including Mac OS X
    10.3.3, 10.3.2, and 10.2.8.

    1. Re:AFS server issue is a remote root vulnerability by weld · · Score: 5, Informative

      The AFP process runs as root so when the stack overflows you can run code as root. AFP wisely won't let you authenticate as roote even though it is running as root.

      Make sense?

      -weld

    2. Re:AFS server issue is a remote root vulnerability by weld · · Score: 3, Informative

      To exploit this you need to code up your own client. It has to do with overflowing the password field by sending invalid packets. You can't do this with any of the standard clients.

      -weld

    3. Re:AFS server issue is a remote root vulnerability by HSpirit · · Score: 4, Informative

      Wow, that's a pretty severe vulnerability to make it through Apple's QA processes...

      As the previous poster intimates, without an intervening firewall, if you've got AFP turned on (and probably any workgroup of 2 or more Macs would) you're hosed.

      A further issue with this is that the inbuilt GUI firewall front-end provided by Apple is brain-dead in that it doesn't allow you to configure per interface rules. This means that if you want a dual-homed Mac acting as a gateway to share files on its internal interface, the external interface is left vulnerable.

      The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.

      It's been this way since Jaguar (10.2) and I sincerely hope that Apple fix this in 10.4 otherwise - with vulnerabilities like this - its reputation for security over its Windows rivals will be sorely tested.

    4. Re:AFS server issue is a remote root vulnerability by fyonn · · Score: 4, Informative

      fyi: it also only firewalls TCP. UDP is left completely unfirewalled, presumeably to make ichatav easier to deal with.

      for the most part, there is little listening on a mac to be exploited even if you run with no wall so usually it's not the biggest of issues.

      dave

    5. Re:AFS server issue is a remote root vulnerability by wkcole · · Score: 4, Informative
      The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.

      Actually, it's slightly simpler than this. You can add rules via the command line interface or via other tools and the Apple firewall config panel simply becomes non-functional with a note added that other firewall software is in use. IOW: no need to explicitly turn the Apple GUI off.

  4. Re:Who finds these security holes? by NivenHuH · · Score: 4, Informative

    .. Security consultants.. students.. developers.. hobbyists.. hackers (white hat or black hat).. etc..

    --
    Just when you make it idiotproof, some idiot builds a better idiot.
  5. At least one update went well by jubitzu · · Score: 2, Informative

    I see that fear and panic has ensued over Apple's latest updates. Well it went well on my 10.3.3 system and has not yet affected any other programs. I think, therefore iMac. - Highly unoriginal

  6. Re:heap overflows -- how does this work? by beattie · · Score: 2, Informative

    It's not really at some "unpredictable" place.
    l0pht article