Severity: High
18 March, 2008
Summary:
- These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), both client and server versions
- How an attacker exploits them: Multiple vectors of attack, including enticing one of your users into visiting a URL or web site
- Impact: Various results; in the worst case, attacker executes code on your user’s computer, potentially gaining complete of your user’s computer
- What to do: OS X administrators should download, test and install Security Update 2008-002
Severity: High
18 March, 2008
Summary:
- These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), both client and server versions
- How an attacker exploits them: Multiple vectors of attack, including enticing one of your users into visiting a URL or web site
- Impact: Various results; in the worst case, attacker executes code on your user’s computer, potentially gaining complete of your user’s computer
- What to do: OS X administrators should download, test and install Security Update 2008-002
Exposure:
Today, Apple released a security update fixing over 95 (number based on CVE-IDs) security issues in software packages that ship as part of OS X, including Apache, Preview, and Help Viewer. Some of these vulnerabilities allow attackers to execute any code they choose on your OS X machines, so we rate this update Critical. Apply it as soon as you can. Three of the vulnerabilities fixed include:
- Multiple integer overflow vulnerabilities in AppKit. AppKit is a OS X framework that helps developers implement graphical, event-driven user interfaces. According to Apple, Appkit suffers from integer overflow vulnerabilities involving the way it parses something called a “serialized property list.” By luring one of your users to a maliciously crafted web site, an attacker could exploit these flaws to execute code on your user’s computer, with that user’s privileges. The attacker could then leverage a separate vulnerability in AppKit — also described in Apple’s alert — to gain system privilege, thus giving the attacker complete control of that user’s Mac.
- Foundation race condition vulnerability. Foundation is an OS X component that helps Safari handle web pages and URLs. According to Apple, Foundation suffers from a complicated race condition vulnerability. If an attacker can entice one of your users into visiting a malicious web site, he could exploit this vulnerability to execute code on the user’s computer, with that user’s privileges. Furthermore, the attacker could then leverage other vulnerabilities described in Apple’s alert to elevate privileges and gain complete control of your user’s computer.
- Image Raw buffer overflow vulnerability. Image Raw is a component that allows OS X to handle the various RAW image formats that some digital cameras support. Image Raw suffers from a buffer overflow vulnerability involving the way it handles specially malformed Adobe Digital Negative (DNG) image files. By enticing one of your users into viewing a malicious image, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges. However, he could then leverage another vulnerability — also described in Apple’s alert — to gain complete control of your user’s computer.
Apple’s alert includes many, many more flaws, including other code execution flaws in addition to those described above. The remaining vulnerabilities also include Denial of Service (DoS) flaws, elevation of privilege flaws, and information disclosure vulnerabilities, plus others. Components patched by this security update include:
| AFP Client | AFP Server |
| Apache | AppKit |
| Application Firewall | CFNetwork |
| ClamAV | CoreFoundation |
| Core Services | CUPS |
| curl | Emacs |
| file | Foundation |
| Help Viewer | Image Raw |
| Kerberos | libc |
| mDNSResponder | notifyd |
| OpenSSH | pax archive utility |
| PHP | Podcast Producer |
| Preview | Printing |
| System Configuration | UDF |
| Wiki Server | X11 |
Refer to Apple’s alert for more details.
This is a huge update fixing many security vulnerabilities, some of which pose a critical security risk. If you manage OS X machines, we highly recommend you apply this update right away.
Solution Path:
Apple has released OS X Security Update 2008-002 to fix all these security issues. OS X administrators should download, test, and deploy Security Update 2008-002 as soon as they can.
- Security Update 2008-002 v1.0 (PPC)
- Security Update 2008-002 v1.0 (Universal)
- Security Update 2008-002 v1.0 (Leopard)
- Security Update 2008-002 v1.0 Server (PPC)
- Security Update 2008-002 v1.0 Server (Universal)
- Security Update 2008-002 v1.0 Server (Leopard)
Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend you let OS X’s Software Update utility pick the correct update for you automatically.
For All Users:
These flaws support diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.
Status:
Apple released updates to fix these issues.