Security Updates, Notices for Mac OS X

Myrrh writes "eEye reports they discovered a heap overflow in QuickTime 6.5, which 'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' Now's a swell time to visit Apple and download the updates for both programs." Also, Apple today released Security Update 2004-05-03, which includes updates for AFP Server, CoreFoundation, and IPSec, and is, like the QuickTime 6.5.1 update, available via Software Update.

In fairness, though

[mkavanagh2]

Mac OS X does get less security problems than any other OS..perhaps apart from BeOS, but I think we can guess why BeOS doesn't get holes found ;)

Re:In fairness, though

[prockcore]

I think we can guess why BeOS doesn't get holes found

Is it because no one is able to get their ethernet cards to work under BeOS?

Hmm...

[hookedup]

'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' damn that apple, even their exploits are reliable!? i'm really thinking about making the switch..

Re:Hmm...

[ariel5000]

I don't know about you, but i think that the only reliable things about Windows are the exploits.

Apple email

[blb]

See Apple's email for info and links to the downloads.

Re:Windows version, not Mac OS.

[hard-mac]

This quicktime heap overflow vulnerability does affect OSX :

eeye.com advisory

It was fixed in a seperate Quicktime update released last friday:

http://www.macsecurity.org/node.php?id=141

AFS server issue is a remote root vulnerability

[weld]

If you have AFS turned on, patch now.

@Stake Security Advisory

Advisory Name: AppleFileServer Remote Command Execution
Release Date: 05/03/2004
Application: AppleFileServer
Platform: MacOS X 10.3.3 and below
Severity: A remote attacker can execute arbitrary
commands as root
Authors: Dave G.
Dino Dai Zovi
Vendor Status: Informed, Upgrade Available
CVE Candidate: CAN-2004-0430
Reference: www.atstake.com/research/advisories/2004/a050304-1 .txt

Overview:

The AppleFileServer provides Apple Filing Protocol (AFP) services for
both Mac OS X and Mac OS X server. AFP is a protocol used to
remotely mount drives, similar to NFS or SMB/CIFS. There is a
pre-authentication, remotely exploitable stack buffer overflow that
allows an attacker to obtain administrative privileges and execute
commands as root.

Details:

The AppleFileServer provides Apple Filing Protocol (AFP) services
for both Mac OS X and Mac OS X server. AFP is a protocol used to
remotely mount drives, similar to NFS or SMB/CIFS. AFP is not
enabled by default. It is enabled through the Sharing Preferences
section by selecting the 'Personal File Sharing' checkbox.

Thereis a pre-authentication remotely exploitable stack buffer
overflow that allows an attacker to obtain administrative
privileges. The overflow occurs when parsing the PathName argument
from LoginExt packet requesting authentication using the Cleartext
Password User Authentication Method (UAM). The PathName argument
is encoded as one-byte specifying the string type, two-bytes
specifying the string length, and finally the string itself. A
string of type AFPName (0x3) that is longer than the length declared
in the packet will overflow the fixed-size stack buffer.

The previously described malformed request results in a trivially
exploitable stack buffer overflow. @stake was able to quickly
develop a proof-of-concept exploit that portably demonstrates this
vulnerability across multiple Mac OS X versions including Mac OS X
10.3.3, 10.3.2, and 10.2.8.

Re:AFS server issue is a remote root vulnerability

[weld]

The AFP process runs as root so when the stack overflows you can run code as root. AFP wisely won't let you authenticate as roote even though it is running as root.

Make sense?

-weld