Slashdot Mirror
Apple Patches Massive Holes In OS X
Trailrunner7 writes with this snippet from ThreatPost: "Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities. The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site." Hit the link for a list of the highlights among these fixes.
Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:
Security Update 2010-001
*
CoreAudio
CVE-ID: CVE-2010-0036
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.
*
CUPS
CVE-ID: CVE-2009-3553
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: A remote attacker may cause an unexpected application termination of cupsd
Description: A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination. This issue is addressed through improved connection use tracking.
*
Flash Player plug-in
CVE-ID: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: Multiple vulnerabilities in Adobe Flash Player plug-in
Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb09-19.html Credit to an anonymous researcher and Damian Put working with TippingPoints Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global Security Research Team, Will Dormann of CERT, Manuel Caballero and Microsoft Vulnerability Research (MSVR).
*
ImageIO
CVE-ID: CVE-2009-2285
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2.
*
Image RAW
CVE-ID
Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old
Non impediti ratione cogitationus.
Two bugs were found in their image libraries (arbitrary code execution bugs in TIFF and RAW-DMG). Makes me wonder if they even tested their image libraries at all when they were being written, because that kind of bug can usually be found in an image library by feeding it random data.
Qxe4
No, it can't. Well technically, it can be exploited, but IE runs sandboxed in Win 7 so the exploiter can't really do much.
Yes, it's sarcasm. Deal with it!
But it is.
And patching vulnerabilities that are found just makes it more so.
Sorry, what was your point again?
Saying that OSX is less secure due to these vulnerabilities is how MS said that Linux was less secure than windows. These aren't OS vulnerabilities, they're application vulnerabilities (well, for the programs I recognize as a non-Mac person). The OS itself is fine. The trick is, of course, that some of these things are included practically by default. So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
/. and a Mac lover, I sincerely doubt you're one of the problem kids for updates on most any system you control.
That's not to say that Mac users have free license to ignore proper security practices. Trojans, poor/shared passwords and not updating their software can leave them as vulnerable, if less targeted, than PC users. Given that one of the problems is with flash (and the fix is as simple as an update), I wonder if there's a good enough of a target out there for hacking Mac WOW players through flash ads hijacks.
Before you flame, I will say that if you're on
"Common sense will be the death of us all"
http://www.vupen.com/english/advisories/2010/0135
With default Windows 7 settings, the current exploit doesn't work. IE8 in XP without DEP protection. It CAN theoritically be expolited with DEP but haven't seen any current exploits that work around DEP protection. Also running with non-admin privileges (recommended, and default in vista & windows 7) reduces the attack surface (i.e. backdoors can't be installed without taking advantage of some other vunerability) so the IE vunerability is a bit overblown, following good security practices (which are default in vista & windows 7) already prevent the known attacks.
You hack whichever's easiest, considering pwn2own had $10k cash prizes.
Massive Holes? I wouldn't consider any of these critical vulnerabilities, except for the ever so popular Flash sponge.
* CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
Seems this could crash your audio player.
* CUPS (CVE-2009-3553) -- A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination.
A remote attacker may cause an unexpected application termination of cupsd. I don't see this happening on a home network, and unlikely on a firewalled work network. In any case, an irritant and nothing more.
* Flash Player plug-in (7 vulnerabilities) -- Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42.
This one unfortunately is serious. Its also due to a flaw in the Adobe Flash Player plug-in.
* ImageIO (CVE-2009-2285) -- A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
Crashes your Preview or whatever image viewing app your using.
* Image RAW (CVE-2010-0037) -- A buffer overflow exists in Image RAW's handling of DNG images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
I seriously had to look this one up. DNG is apparently an Adobe raw image format. I don't see this one as massive either.
* OpenSSL (CVE-2009-3555) -- A man-in-the-middle vulnerability exists in the SSL and TLS protocols. A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure. The issue does not affect services using Secure Transport as it does not support renegotiation.
This one appears to affect everyone, from OS X, to Windows, to Apache: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
You must be new here.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
That's nice. And out of date. OS X does memory address randomization, and supports to NX bit.
Yes, my point about IIS vs Apache wasn't that there were more attacks against IIS, just that there are documented and exploited holes.
And yes, there have been many holes found in the various parts of OS X that have been fixed (and some yet to be fixed) but in terms of malware in the wild, there is practically none. There was a disk image that claimed to be Office for Mac on torrent sites that actually ended up deleting your files after you gave it your admin password, and a couple of other proof of concept attacks, but stuff actually out there roaming free in the wild is extremely rare - vanishingly so. I will not say "none" because it is clearly not true, and it allows the possibility of something to emerge, but for all the holes that have appeared in components of OS X, over the course of the life of the OS, no one has demonstrated stuff beyond possibilities.
The TFA does indeed say "could install spyware and delete files" - ie, if the hole is exploited. No one is denying that (and when the hole is closed, they can't) but so far, no one has been able to - the vector for attack has not been there. There was nothing in the wild that exploited some of these holes, and they have been nipped up before anything could be produced.
There are obviously other holes that have yet to be closed - including, as some security people have claimed, ones that have been open and exposed for a very long time (consider the guy who knew of two vulnerabilities and kept one to himself so he could exploit it the next year at the 'break OS X contest'). If that hole was known and vulnerable for a year, where are the in-the0wild exploits actually installing malicious software and keyloggers and so on? The hole was there for a malicious mp4 file, but the malware that exploited it was not.
I'm not not nieve enough to assume or assert that OS X gets a free pass on security, but the prior performance has been good compared to Windows, even with the difference in install base. It's in a similar position to Linux with regard to security holes (and shares holes with some BSD components that the OSS community is also exposed to).
This is actually a valid complaint, although this link is actually referring to hacking done under Leopard, not Snow Leopard. Snow Leopard is still missing a full implementation of ASLR, and that leaves it vulnerable to some exploits.
Vista was the first Windows OS to implement ASLR, and it was assumed that Snow Leopard would do the same, but that didn't happen, or at least not fully. They have prevented 'data' from being executed as arbitrary code (DEP), but they still don't randomize all of the OS components. Only some key pieces, but not all.
The pwn2own contest would say otherwise. Mac is usually the first to go down.
Because for pwn2own you need a zero-day exploit - how high are the chances to find a 0day for Windows and nobody else having it out in the wild until that one day in the year of pwn2own? OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Not at all. Your only looking at the end result as evaluating risk from that, and not the vector of infection.
The flash update wasn't 'dismissed' and I noted it was a serious issue, but the fault lies with Flash. It is an abomination.
The MP4 vulnerability would require someone actually get their hands on a specifically crafted MP4. The typical user either creates their own MP4's from their own audio CD's, or downloads them from iTunes on a Mac. If they are getting them from seedy sources, then they pretty much get what they deserve
The last one I wouldn't consider a huge risk simply for the fact that I had never heard of the format. It would require someone that works with raw image data who happens to get an Adobe DNG image that has this vulnerability. This isn't like some drive by hijacking. I don't see this as a likely path to infection.
That's how most MP4s come into existence. But an MP4 (or a TIFF for that matter) can be put up onto a webpage by an attacker, and rendered by the browser without the user needing to explicitly download and run it. If visiting a maliciously-crafted website can lead to arbitrary code execution, I'd say there's a serious problem. (I haven't investigated the particular flaws closely enough to tell if that is the case. However, based on the advisory, it seems quite likely.)
You are overlooking that Safari considers certain filetypes "safe" (including MP4, not sure about TIFF or DNG) and opens them by default. Its quite possible these vulnerabilities could be rigged to "drive by" a casual web surfer with no user interaction.
Furthermore Finder has a preview function which is activated by simply single-clicking on a file, which could be another vector to attack an 'innocent' user.
Business. Numbers. Money. People. Computer World.
Apple said things which were true, worded in such that might cause people to draw an exaggerated conclusion. PitaBred merely lied. You fail at logic.