02 August 2006, 12:16

Apple closes new security holes

Apple's 2006-004 security update patches numerous holes. Several of the vulnerabilities it closes allowed attackers to execute arbitrary code on infected computers.

With these holes unblocked attackers can crash Apple's AFP server or smuggle in code. They can also access files from other users, since the memory for the reconnect keys is accessible to all. Users could use the search function to produce lists of other users' files, files for which they had no right of access.

Through a specially crafted zip, the BOM archive helper can be knocked off-balance to the point where an attacker could plant arbitrary code with those files and then execute them. To make matters worse, the Safari web browser considers zip files as safe and opens them automatically if the corresponding option is activated. That hole was reported long ago to Apple by Tom Ferris.

The DHCP service also leaves a crack in the Apple OS security. A manipulated bootp query can trigger a buffer overflow, as well as potentially executing any code desired. Apple's developers have also closed numerous older security holes in fetchmail that could have allowed a manipulated POP3 server to foist arbitrary code onto the program.

Beyond zip files, a variety of graphic files and websites also represent a security risk for Mac users. Manipulated images in the RAW (Canon), Radiance, GIF and TIFF formats as well as specially crafted websites can aid malicious code in reaching the system and being executed. The flaw in TIFF processing also affects the free libtiff library, which is used by kdegraphics among others. Linux distributors have in the meantime begun offering updates as well.

There were also less critical updates, including for the Bluetooth Setup Assistant. Apple extended the automatically generated key used to pair up Bluetooth devices from six digits to eight. The dyld linker allowed users to expand their rights. A programming flaw in gunzip, an expander program, allowed changes to be made to access rights for files, as well as for the creation or replacement of any files desired through use of the command line option "-N".

The OpenSSH server, provided by Apple, freezes up if one tries to register a non-existent user account. The Telnet client is also stricken by a vulnerability that could allow it to send (sensitive) content regarding environmental variables to a Telnet server when requested by the latter.

Mac OS X users should install the update immediately, if the automatic update mechanism has not already done so. A number of exploits are already making the rounds for the fetchmail hole.