Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Updates, Notices for Mac OS X

Posted by pudge on from the happy-update-monday dept.

Myrrh writes "eEye reports they discovered a heap overflow in QuickTime 6.5, which 'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' Now's a swell time to visit Apple and download the updates for both programs." Also, Apple today released Security Update 2004-05-03, which includes updates for AFP Server, CoreFoundation, and IPSec, and is, like the QuickTime 6.5.1 update, available via Software Update.

40 of 74 comments (clear)

  1. In fairness, though by mkavanagh2 · · Score: 5, Funny

    Mac OS X does get less security problems than any other OS..perhaps apart from BeOS, but I think we can guess why BeOS doesn't get holes found ;)

    1. Re:In fairness, though by prockcore · · Score: 5, Funny

      I think we can guess why BeOS doesn't get holes found

      Is it because no one is able to get their ethernet cards to work under BeOS?

    2. Re:In fairness, though by DAldredge · · Score: 2, Insightful

      Only if you leave out MVS.

  2. Hmm... by hookedup · · Score: 5, Funny

    'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' damn that apple, even their exploits are reliable!? i'm really thinking about making the switch..

    1. Re:Hmm... by ariel5000 · · Score: 5, Funny

      I don't know about you, but i think that the only reliable things about Windows are the exploits.

  3. when will karma whores stop by Anonymous Coward · · Score: 2, Funny

    stealing the first posts of honest american slashdot trolls, you insensitive clod!

  4. Guinea Pig? Not Me by PedanticSpellingTrol · · Score: 2, Funny

    I think I'll wait a while before downloading these patches, Apple seems to have a bit of a history of b0rking things with them, like that iTunes patch that came a while back. Oh, and I don't have a mac yet;-(

  5. Windows version, not Mac OS. by chrismear · · Score: 2, Informative

    The heap overflow vulnerability mentioned here only applies to the Windows version of the Quicktime player, not the Mac OS version.

    See here (section IV), or here, or here.

    1. Re:Windows version, not Mac OS. by hard-mac · · Score: 5, Informative
      This quicktime heap overflow vulnerability does affect OSX :

      eeye.com advisory

      It was fixed in a seperate Quicktime update released last friday:

      http://www.macsecurity.org/node.php?id=141

    2. Re:Windows version, not Mac OS. by prockcore · · Score: 4, Interesting

      The heap overflow vulnerability mentioned here only applies to the Windows version of the Quicktime player, not the Mac OS version.

      Actually, that's a completely seperate vulnerability. The one talked about here is the one discovered by eEye and not the one discovered by iDefense.

      This is not suprising, just 1 month ago I mentioned that quicktime was vulnerable to buffer overflows left and right because there is absolutely no input validation done. I was flamed for saying that, but here we have 3 different buffer overflows patched all at once.

    3. Re:Windows version, not Mac OS. by chrismear · · Score: 2, Informative

      Whoops. You're right. Thanks hard-mac and prockcore. Mod grandparent down. ;)

      This'll teach me to try and read tech articles in the early hours of the morning...

  6. Who finds these security holes? by amichalo · · Score: 4, Interesting

    Mod this a -1 STUPID but who finds most of these security flaws?

    No matter if it's OS X, Windows, or Linux, there are always these security fixes popping up. I assume there is a QA team that is working on this stuff but unless there is a vulnerability that manifests itself in the form of a virus or hacked system, who finds these things and why were they looking in the first place?

    --
    I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
    1. Re:Who finds these security holes? by NivenHuH · · Score: 4, Informative

      .. Security consultants.. students.. developers.. hobbyists.. hackers (white hat or black hat).. etc..

      --
      Just when you make it idiotproof, some idiot builds a better idiot.
  7. What can I say? by photoblur · · Score: 3, Funny

    I guess Macs are just more reliable computers all around...

    *ducks*

  8. Apple email by blb · · Score: 5, Informative

    See Apple's email for info and links to the downloads.

  9. AFS server issue is a remote root vulnerability by weld · · Score: 5, Informative

    If you have AFS turned on, patch now.

    @Stake Security Advisory

    Advisory Name: AppleFileServer Remote Command Execution
    Release Date: 05/03/2004
    Application: AppleFileServer
    Platform: MacOS X 10.3.3 and below
    Severity: A remote attacker can execute arbitrary
    commands as root
    Authors: Dave G.
    Dino Dai Zovi
    Vendor Status: Informed, Upgrade Available
    CVE Candidate: CAN-2004-0430
    Reference: www.atstake.com/research/advisories/2004/a050304-1 .txt

    Overview:

    The AppleFileServer provides Apple Filing Protocol (AFP) services for
    both Mac OS X and Mac OS X server. AFP is a protocol used to
    remotely mount drives, similar to NFS or SMB/CIFS. There is a
    pre-authentication, remotely exploitable stack buffer overflow that
    allows an attacker to obtain administrative privileges and execute
    commands as root.

    Details:

    The AppleFileServer provides Apple Filing Protocol (AFP) services
    for both Mac OS X and Mac OS X server. AFP is a protocol used to
    remotely mount drives, similar to NFS or SMB/CIFS. AFP is not
    enabled by default. It is enabled through the Sharing Preferences
    section by selecting the 'Personal File Sharing' checkbox.

    Thereis a pre-authentication remotely exploitable stack buffer
    overflow that allows an attacker to obtain administrative
    privileges. The overflow occurs when parsing the PathName argument
    from LoginExt packet requesting authentication using the Cleartext
    Password User Authentication Method (UAM). The PathName argument
    is encoded as one-byte specifying the string type, two-bytes
    specifying the string length, and finally the string itself. A
    string of type AFPName (0x3) that is longer than the length declared
    in the packet will overflow the fixed-size stack buffer.

    The previously described malformed request results in a trivially
    exploitable stack buffer overflow. @stake was able to quickly
    develop a proof-of-concept exploit that portably demonstrates this
    vulnerability across multiple Mac OS X versions including Mac OS X
    10.3.3, 10.3.2, and 10.2.8.

    1. Re:AFS server issue is a remote root vulnerability by sld126 · · Score: 2, Insightful

      Interesting that AFP has a remote root exploit, considering you can't even log in as root via AFP. Admin yes, root no, not in any version of OS X.

      I'm not calling bullshit, but the air smells kind of funny here...

      --
      You're just jealous because the voices only talk to me.
    2. Re:AFS server issue is a remote root vulnerability by weld · · Score: 5, Informative

      The AFP process runs as root so when the stack overflows you can run code as root. AFP wisely won't let you authenticate as roote even though it is running as root.

      Make sense?

      -weld

    3. Re:AFS server issue is a remote root vulnerability by sld126 · · Score: 2, Insightful

      So, if you use the GUI as the remote login, you can't. But if you use mount_afp with an oversized login name, you can?

      --
      You're just jealous because the voices only talk to me.
    4. Re:AFS server issue is a remote root vulnerability by weld · · Score: 3, Informative

      To exploit this you need to code up your own client. It has to do with overflowing the password field by sending invalid packets. You can't do this with any of the standard clients.

      -weld

    5. Re:AFS server issue is a remote root vulnerability by HSpirit · · Score: 4, Informative

      Wow, that's a pretty severe vulnerability to make it through Apple's QA processes...

      As the previous poster intimates, without an intervening firewall, if you've got AFP turned on (and probably any workgroup of 2 or more Macs would) you're hosed.

      A further issue with this is that the inbuilt GUI firewall front-end provided by Apple is brain-dead in that it doesn't allow you to configure per interface rules. This means that if you want a dual-homed Mac acting as a gateway to share files on its internal interface, the external interface is left vulnerable.

      The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.

      It's been this way since Jaguar (10.2) and I sincerely hope that Apple fix this in 10.4 otherwise - with vulnerabilities like this - its reputation for security over its Windows rivals will be sorely tested.

    6. Re:AFS server issue is a remote root vulnerability by fyonn · · Score: 4, Informative

      fyi: it also only firewalls TCP. UDP is left completely unfirewalled, presumeably to make ichatav easier to deal with.

      for the most part, there is little listening on a mac to be exploited even if you run with no wall so usually it's not the biggest of issues.

      dave

    7. Re:AFS server issue is a remote root vulnerability by wkcole · · Score: 4, Informative
      The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.

      Actually, it's slightly simpler than this. You can add rules via the command line interface or via other tools and the Apple firewall config panel simply becomes non-functional with a note added that other firewall software is in use. IOW: no need to explicitly turn the Apple GUI off.

  10. bad updates by Anonymous Coward · · Score: 4, Funny

    so what are these updates going to break? let's start a pool.

    1. Re:bad updates by 47Ronin · · Score: 2, Insightful

      I've run security updates on dozens of Macs over the last two years and have yet to see one break anything. This isn't like Microsoft Windows, y'know

      --
      Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
    2. Re:bad updates by sld126 · · Score: 3, Funny

      It always makes me laugh when windoze people switch.

      "It didn't say to reboot, but I'd feel better"
      "Yes, I need to install everything, even if I never buy an iSight"

      I just stand amazed that they've been so abused that they don't know anything better.

      --
      You're just jealous because the voices only talk to me.
    3. Re:bad updates by dthree · · Score: 2, Interesting

      I ran the updater on 2 macs at home and now I can't file share between them at all, cool! Now THAT is security!

      I'm afraid of doing the update on my g5 office mac. I can't afford to loose filesharing, but now that the exploit is "published" all kinds of lemurs are gonna be trying to find the unpatched macs to exploit.

      --
      "I forgot my mantra."
    4. Re:bad updates by lullabud · · Score: 3, Insightful
      Please show one Windows update that erased your entire hard drive (like iTunes), or prevented it from booting (like iTunes for Windows and one OS-X update), or any of the other SEVERE issues that Apple continually has with updates.
      It was either the IE 5 or IE 5.5 update on win98 that corrupted the OS so that it needed to be reloaded. When I worked at Gateway we told people NOT to update their browsers if they weren't having problems because we were sick of having to FFR (Fdisk, Format, Reload) people's systems when the patch made their systems unbootable.
    5. Re:bad updates by lullabud · · Score: 2, Interesting
      I've run security updates on dozens of Macs over the last two years and have yet to see one break anything. This isn't like Microsoft Windows, y'know
      contrarily, i've been using mac's for just over a year now and i've had one update install an ethernet driver that didn't work, and another update kernel panic my system into an unbootable state. however, i have to say that fixing these problems was way easier than anything i've seen in all the years i've been working on windows boxen.
  11. Anyone else have this problem with QT for Win? by c0d3h4x0r · · Score: 2, Interesting

    Every time QT for Windows tries to paint the annoying "register now or later" splash-screen/pop-up, it immediately crashes. This is on Windows 2003 server with a Matrox G450 Dual-Head video card running the latest Matrox video drivers. This has been happening for me with the entire 6.x series of QuickTime for Windows.

    Is anyone seeing this? Apple must not bother to ask Microsoft for the Windows Error Reporting data on QuickTime, because I've only submitted error reports on this crash about a bazillion times now.

    --
    Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
    1. Re:Anyone else have this problem with QT for Win? by Anonymous Coward · · Score: 2

      Have you tried turning off hardware acceleration in the Quicktime control panel?

    2. Re:Anyone else have this problem with QT for Win? by fyonn · · Score: 2, Insightful

      perhaps he's doing server development on his desktop? just cos he's running a server version of the OS doesn't mean his machine is actually the PDC and should be locked away in a room. maybe there is some feature in the server version he needs on his desktop. it's not like it doesn't make an acceptable desktop (assuming you're a windows fan)

      dave

    3. Re:Anyone else have this problem with QT for Win? by Jeremy+Erwin · · Score: 2, Insightful

      The difference between a workstation and a server is an artificial one-- a marketer's delineation, designed to extract the largest amount of cash out of a customer base.

      Sorry. If you want the extra CPU utilized, buy the server edition. If you want to serve files to more than 5 users, buy the server edition. If you want to host a database, buy the server edition.

      The limitations are enough to make someone try linux-- where the border between server and workstation is a bit more fluid.

  12. At least one update went well by jubitzu · · Score: 2, Informative

    I see that fear and panic has ensued over Apple's latest updates. Well it went well on my 10.3.3 system and has not yet affected any other programs. I think, therefore iMac. - Highly unoriginal

  13. Re:Mac OS X Just Crashed by ChaosWing · · Score: 2, Interesting

    Oddly enough, my Powerbook did the same thing as I was starting it up for the *sole purpose* of installing the update.

  14. Uh oh by fr0dicus · · Score: 2, Interesting

    My girlfriends iBook G4 (about two weeks old!) kernel panic'd in the Optimization stage of the update..... had to power button it, and now the spinning boot logo displays forever.... archive reinstall time?

    1. Re:Uh oh by lullabud · · Score: 2, Insightful

      If you boot to the OS X install CD there will be an "Options" button that you can check which will give you the option to move the old system to a different folder, install a new system and then re-import all the user-specific settings that you had previously.

      Windows never had an reinstall option like that...

  15. Detail?? by -tji · · Score: 2, Interesting

    Is there any more thorough source of information on the nature of the changes in the security update?

    For example, what IPSec changes were made?

  16. Re:heap overflows -- how does this work? by beattie · · Score: 2, Informative

    It's not really at some "unpredictable" place.
    l0pht article

  17. The farmer's security watchdog? by gryphokk · · Score: 2, Funny

    eEye?

    eEye?

    Oh.

    --
    And you, madam, are very ugly. In the morning, I shall be sober.