Apple’s October Update Plugs Holes in XML, PHP, PDF
OS X Security Update Fixes 40 Flaws
Severity: High
9 October, 2008
Summary:
§These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), both client and server versions
§How an attacker exploits them: Multiple vectors of attack, including enticing one of your users into visiting a malicious web site, downloading a malicious document, or subscribing to a malicious RSS feed
§Impact: Various results; in the worst case, attacker executes code on your user’s computer, potentially gaining full control of it
§What to do: OS X administrators should download, test and install Security Update 2008-007
Apple’s October Update Plugs Holes in XML, PHP, PDF
OS X Security Update Fixes 40 Flaws
Severity: High
9 October, 2008
Summary:
§These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), both client and server versions
§How an attacker exploits them: Multiple vectors of attack, including enticing one of your users into visiting a malicious web site, downloading a malicious document, or subscribing to a malicious RSS feed
§Impact: Various results; in the worst case, attacker executes code on your user’s computer, potentially gaining full control of it
§What to do: OS X administrators should download, test and install Security Update 2008-007
Exposure:
Late today, Apple released a security update to fix vulnerabilities in OS X. The update fixes 40 security issues (number based on CVE-IDs) in many software packages that ship as part of OS X, including the Finder, ColorSync, and the Postcript interpreter. Some of these vulnerabilities allow attackers to execute code on your OS X machines, so we rate this update Critical. Apply it as soon as you can. Three of the fixed vulnerabilities of special interest to businesses include:
§Three PHP vulnerabilities. PHP is a scripting language optimized to work well with HTML. It is used on millions of web sites to generate a page dynamically, accepting input from users or from a database. PHP suffers from a buffer overflow vulnerability, and a few other flaws. By luring one of your users to a malicious web site, an attacker could exploit one of these flaws to execute code on that user’s computer.
§Buffer overflow vulnerabilities in rendering color graphics. ColorSync is the component of OS X that helps handle graphic images having an embedded ICC profile. If you shoot a picture with a digital camera and later need to use the picture in a printed brochure, the ICC profile contains the data ColorSync uses to convert the RGB colors from the camera into the CMYK colors a printer understands. ColorSync contains a buffer overflow flaw in the way it handles images that have an embedded ICC profile. There are a wide variety of such images, including PICT, PDF, and Postscript files. If an attacker can get a victim to open a maliciously crafted color image, he could exploit this flaw to execute attack code on the victim’s computer. Apple’s advisory also addresses another buffer overflow in how OS X renders Postscript files.
§Heap buffer overflow in rendering XML documents. XML is a relatively human-legible programming language widely used on the Internet, showing up in uses ranging from vector-based graphics to RSS news feeds. A flaw in the way OS X renders XML documents could allow an attacker to craft a malicious HTML page. If the attacker can get one of your users to visit the page, he could exploit the flaw to execute his code on your user’s computer, possibly taking control of it.
Apple’s alert covers many more flaws, including other code execution flaws in addition to those described above. The remaining vulnerabilities include Denial of Service (DoS) flaws, elevation of privilege flaws, crash vulnerabilities, plus others. Some of the flaws only affect OS X Server. Components patched by this security update include:
| Apache | ClamAV |
| CUPS | Finder |
| launchd | MySQL Server |
| Postfix | QuickLook |
| rlogin | Script Editor |
| Tomcat | Weblog |
Please refer to Apple’s OS X alert for more details.
Solution Path:
Apple has released OS X Security Update 2008-007 to fix these security issues. OS X administrators should download, test, and deploy the update as soon as they can.
§Security Update 2008-007 (PPC)
§Security Update 2008-007 (Intel)
§Security Update 2008-007 (Leopard)
§Security Update 2008-007 Server (PPC)
§Security Update 2008-007 Server (Leopard)
§Security Update 2008-007 Server (Universal)
Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.
For All Users:
These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.
Status:
Apple has released updates to fix these issues.