Security Updates, Notices for Mac OS X

← Back to Stories (view on slashdot.org)

Security Updates, Notices for Mac OS X

Posted by pudge on Monday May 3, 2004 @11:05AM from the happy-update-monday dept.

Myrrh writes "eEye reports they discovered a heap overflow in QuickTime 6.5, which 'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' Now's a swell time to visit Apple and download the updates for both programs." Also, Apple today released Security Update 2004-05-03, which includes updates for AFP Server, CoreFoundation, and IPSec, and is, like the QuickTime 6.5.1 update, available via Software Update.

15 of 74 comments (clear)

In fairness, though by mkavanagh2 · 2004-05-03 11:11 · Score: 5, Funny

Mac OS X does get less security problems than any other OS..perhaps apart from BeOS, but I think we can guess why BeOS doesn't get holes found ;)
1. Re:In fairness, though by prockcore · 2004-05-03 14:31 · Score: 5, Funny
  
  I think we can guess why BeOS doesn't get holes found
  
  Is it because no one is able to get their ethernet cards to work under BeOS?
Hmm... by hookedup · 2004-05-03 11:14 · Score: 5, Funny

'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' damn that apple, even their exploits are reliable!? i'm really thinking about making the switch..
1. Re:Hmm... by ariel5000 · 2004-05-03 12:02 · Score: 5, Funny
  
  I don't know about you, but i think that the only reliable things about Windows are the exploits.
Who finds these security holes? by amichalo · 2004-05-03 11:25 · Score: 4, Interesting

Mod this a -1 STUPID but who finds most of these security flaws?

No matter if it's OS X, Windows, or Linux, there are always these security fixes popping up. I assume there is a QA team that is working on this stuff but unless there is a vulnerability that manifests itself in the form of a virus or hacked system, who finds these things and why were they looking in the first place?

--
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
1. Re:Who finds these security holes? by NivenHuH · 2004-05-03 13:55 · Score: 4, Informative
  
  .. Security consultants.. students.. developers.. hobbyists.. hackers (white hat or black hat).. etc..
  
  --
  Just when you make it idiotproof, some idiot builds a better idiot.
Apple email by blb · 2004-05-03 11:53 · Score: 5, Informative

See Apple's email for info and links to the downloads.
Re:Windows version, not Mac OS. by hard-mac · 2004-05-03 11:55 · Score: 5, Informative

This quicktime heap overflow vulnerability does affect OSX :
eeye.com advisory
It was fixed in a seperate Quicktime update released last friday:
http://www.macsecurity.org/node.php?id=141
AFS server issue is a remote root vulnerability by weld · 2004-05-03 11:57 · Score: 5, Informative

If you have AFS turned on, patch now.

@Stake Security Advisory

Advisory Name: AppleFileServer Remote Command Execution
Release Date: 05/03/2004
Application: AppleFileServer
Platform: MacOS X 10.3.3 and below
Severity: A remote attacker can execute arbitrary
commands as root
Authors: Dave G.
Dino Dai Zovi
Vendor Status: Informed, Upgrade Available
CVE Candidate: CAN-2004-0430
Reference: www.atstake.com/research/advisories/2004/a050304-1 .txt

Overview:

The AppleFileServer provides Apple Filing Protocol (AFP) services for
both Mac OS X and Mac OS X server. AFP is a protocol used to
remotely mount drives, similar to NFS or SMB/CIFS. There is a
pre-authentication, remotely exploitable stack buffer overflow that
allows an attacker to obtain administrative privileges and execute
commands as root.

Details:

The AppleFileServer provides Apple Filing Protocol (AFP) services
for both Mac OS X and Mac OS X server. AFP is a protocol used to
remotely mount drives, similar to NFS or SMB/CIFS. AFP is not
enabled by default. It is enabled through the Sharing Preferences
section by selecting the 'Personal File Sharing' checkbox.

Thereis a pre-authentication remotely exploitable stack buffer
overflow that allows an attacker to obtain administrative
privileges. The overflow occurs when parsing the PathName argument
from LoginExt packet requesting authentication using the Cleartext
Password User Authentication Method (UAM). The PathName argument
is encoded as one-byte specifying the string type, two-bytes
specifying the string length, and finally the string itself. A
string of type AFPName (0x3) that is longer than the length declared
in the packet will overflow the fixed-size stack buffer.

The previously described malformed request results in a trivially
exploitable stack buffer overflow. @stake was able to quickly
develop a proof-of-concept exploit that portably demonstrates this
vulnerability across multiple Mac OS X versions including Mac OS X
10.3.3, 10.3.2, and 10.2.8.
1. Re:AFS server issue is a remote root vulnerability by weld · 2004-05-03 13:02 · Score: 5, Informative
  
  The AFP process runs as root so when the stack overflows you can run code as root. AFP wisely won't let you authenticate as roote even though it is running as root.
  
  Make sense?
  
  -weld
2. Re:AFS server issue is a remote root vulnerability by HSpirit · 2004-05-03 14:56 · Score: 4, Informative
  
  Wow, that's a pretty severe vulnerability to make it through Apple's QA processes...
  As the previous poster intimates, without an intervening firewall, if you've got AFP turned on (and probably any workgroup of 2 or more Macs would) you're hosed.
  
  A further issue with this is that the inbuilt GUI firewall front-end provided by Apple is brain-dead in that it doesn't allow you to configure per interface rules. This means that if you want a dual-homed Mac acting as a gateway to share files on its internal interface, the external interface is left vulnerable.
  
  The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.
  
  It's been this way since Jaguar (10.2) and I sincerely hope that Apple fix this in 10.4 otherwise - with vulnerabilities like this - its reputation for security over its Windows rivals will be sorely tested.
3. Re:AFS server issue is a remote root vulnerability by fyonn · 2004-05-03 19:06 · Score: 4, Informative
  
  fyi: it also only firewalls TCP. UDP is left completely unfirewalled, presumeably to make ichatav easier to deal with.
  
  for the most part, there is little listening on a mac to be exploited even if you run with no wall so usually it's not the biggest of issues.
  
  dave
4. Re:AFS server issue is a remote root vulnerability by wkcole · 2004-05-04 04:14 · Score: 4, Informative
  
  The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.
  
  Actually, it's slightly simpler than this. You can add rules via the command line interface or via other tools and the Apple firewall config panel simply becomes non-functional with a note added that other firewall software is in use. IOW: no need to explicitly turn the Apple GUI off.
bad updates by Anonymous Coward · 2004-05-03 12:02 · Score: 4, Funny

so what are these updates going to break? let's start a pool.
Re:Windows version, not Mac OS. by prockcore · 2004-05-03 12:19 · Score: 4, Interesting

The heap overflow vulnerability mentioned here only applies to the Windows version of the Quicktime player, not the Mac OS version.

Actually, that's a completely seperate vulnerability. The one talked about here is the one discovered by eEye and not the one discovered by iDefense.

This is not suprising, just 1 month ago I mentioned that quicktime was vulnerable to buffer overflows left and right because there is absolutely no input validation done. I was flamed for saying that, but here we have 3 different buffer overflows patched all at once.