In association with heise online

18 December 2007, 13:13

Apple Mac OS X security updates

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Apple has released Update 2007-009 for Mac OS X 10.4.11 and 10.5.1, including server versions of the operating system, to close a number of security holes. In the overview of the update, the vendor documents a total of 31 vulnerabilities, 16 of which can be used to inject and execute malicious code. Additionally, Apple has released an important security update to the Java components of OS X 10.4.

Several updates close holes in programs and mechanisms that access the internet. For instance, specially crafted websites can be used to inject arbitrary executable code into the local address book due to a flaw in the URL handler. Likewise, images with an integrated, manipulated ColorSync profile can be exploited to execute arbitrary code. The web browser Safari and Shockwave have also been patched to prevent remote code execution.

A posting on the BugTraq security mailing list provides some insight into a vulnerability in the OS X software update mechanism. According to the posting, Apple does sign the individual update packages, so attackers cannot simply provide manipulated updates through a compromised network to an Apple computer. However, Apple apparently did not sign the update control files, which contain JavaScript code that checks whether the updates need to be installed. Therefore an attacker could inject arbitrary code into Apple systems running the software update, for example by using ARP or DNS spoofing techniques.

The vulnerabilities patched by the Java update can be exploited to allow attackers to remotely manipulate a user's digital keychain and take control of vulnerable systems. For this to occur, the user has to visit a manipulated website using a Java-capable browser. According to Apple, OS X 10.5 Leopard is not affected by the Java security holes.

The recent Apple updates also remedy remote code execution flaws in other services exposed to the local network, including the CUPS printing service and the Samba Windows Network component. Other components that have been fixed include Flash Player, Apple Mail, iChat, Quick Look, Spotlight, Desktop Services, IO Storage, Launch Services, XQuery, CFNetwork, Core Foundation, and Spin Tracer as well as some open-source components. Most of the addressed vulnerabilities would allow local users to escalate their privileges in the system and attackers to get access to sensitive information and overwrite files.

The updates are being distributed via the automatic OS X update function, which can be started by clicking on "Software Updates" in the Apple menu, but administrators can also download packets for their platform from Apple. Mac OS X users are advised to install the updates as soon as possible because they address a number of critical security issues. Because of the serious flaw in the update mechanism, extra care should be taken to only run it in a trusted network such as a home network behind a firewall router.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit