• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Huge OS X Update Fixes Almost 100 Security Flaws

March 30, 2010 By The Editor

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including visiting malicious websites or enticing one of your users into downloading and viewing various malicious media files
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, potentially gaining full control of it
  • What to do: OS X administrators should download, test and install Security Update 2010-002 or the 10.6.3 update.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes well over 90 (number based on CVE-IDs) security issues in around 43 components that ship as part of OS X, including Quicktime, CoreMedia, and Mail. Some of these vulnerabilities allow attackers to gain full control of your OS X machines, so we rate this update Critical. Apply it as soon as you can. Some of the fixed vulnerabilities include:

  • Various QuickTime Code Execution Vulnerabilities. Quicktime is the multimedia (video and audio) player that ships with OS X. According to Apple, QuickTime suffers from nine code execution vulnerabilities involving its inability to properly handle maliciously crafted movie files. Though the flaws differ technically, they share the exact same scope and impact.  If an attacker can lure one of your users into playing a malicious movie (perhaps hosted on a malicious website), he could exploit this flaw to either crash QuickTime or to execute attack code on that user’s computer. By default, the attacker would only execute code with that user’s privileges. However, the attacker could also leverage other privilege elevation flaws described in Apple’s alert to gain complete control of your user’s Mac.
  • Multiple Image-related Memory Corruption Vulnerabilities. ImageIO and Image RAW are both OS X components that help the operating system handle various types of image files. Both components suffer from memory-related vulnerabilities involving the way they handle certain types of image files. Though the vulnerabilities differ technically, they share a very similar scope and impact. If an attacker can get a victim to view a specially crafted picture (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash the viewing application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. However, the attacker could also leverage other flaws in Apple’s alert to gain complete control of your user’s Mac.
  • Disk Images Code Execution Vulnerabilities. Disk Images is the OS X component that mounts the DMG disk image files commonly used to install software on Mac computers. Apple’s OS X update fixes two code execution vulnerabilities in Disk Images. Though they differ technically, an attacker could leverage both in the same way. By enticing you to mount a malicious DMG file, an attacker could exploit either of these flaws to execute code on your computer, with your privileges. Like the previous flaws, the attacker could then leverage other vulnerabilities to gain complete control of your Mac.

Apple’s alert also describes many other vulnerabilities, including some Denial of Service (DoS) flaws, information disclosure issues, and Cross Site Scripting (XSS) vulnerabilities. Components patched by this security update include:

AppKitApplication Firewall
AFP ServerApache
ClamAVCoreAudio
CoreMediaCoreTypes
CUPScurl
Cyrus IMAPCyrus SASL
Desktop ServicesDisk Images
Directory ServicesDovecot
Event MonitorFreeRADIUS
FTP ServeriChat Server
ImageIOImage RAW
LibsystemMail
MailmanMySQL
OS ServicesPassword Server
perlPHP
Podcast ProducerPreferences
PS NormalizerQuicktime
RubyServer Admin
SMBTomcat
unzipvim
Wiki ServerX11
xar

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details

As an aside, if you haven’t installed the Safari update Apple released earlier this month, we recommend you install it as well.

Solution Path:

Apple has released OS X Security Update 2010-002 and 10.6.3 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

  • Security Update 2010-001 (Leopard)
  • Security Update 2010-001 (Leopard Server)
  • Mac OS X v10.6.3 Update (Snow Leopard)
  • Mac OS X v10.6.3 Update (Snow Leopard Combo)
  • Mac OS X Server v10.6.3 Update (Snow Leopard Server)
  • Mac OS X Server v10.6.3 Update (Snow Leopard Server Combo)

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these issues.

References:

  • OS X 10.5x and 10.6.x March 2010 Security Update

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: Apple

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use