Summary:
- These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
- How an attacker exploits them: Multiple vectors of attack, including visiting malicious websites or enticing one of your users into downloading and viewing various malicious media files
- Impact: Various results; in the worst case, an attacker executes code on your user’s computer, potentially gaining full control of it
- What to do: OS X administrators should download, test and install Security Update 2010-002 or the 10.6.3 update.
Exposure:
Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes well over 90 (number based on CVE-IDs) security issues in around 43 components that ship as part of OS X, including Quicktime, CoreMedia, and Mail. Some of these vulnerabilities allow attackers to gain full control of your OS X machines, so we rate this update Critical. Apply it as soon as you can. Some of the fixed vulnerabilities include:
- Various QuickTime Code Execution Vulnerabilities. Quicktime is the multimedia (video and audio) player that ships with OS X. According to Apple, QuickTime suffers from nine code execution vulnerabilities involving its inability to properly handle maliciously crafted movie files. Though the flaws differ technically, they share the exact same scope and impact. If an attacker can lure one of your users into playing a malicious movie (perhaps hosted on a malicious website), he could exploit this flaw to either crash QuickTime or to execute attack code on that user’s computer. By default, the attacker would only execute code with that user’s privileges. However, the attacker could also leverage other privilege elevation flaws described in Apple’s alert to gain complete control of your user’s Mac.
- Multiple Image-related Memory Corruption Vulnerabilities. ImageIO and Image RAW are both OS X components that help the operating system handle various types of image files. Both components suffer from memory-related vulnerabilities involving the way they handle certain types of image files. Though the vulnerabilities differ technically, they share a very similar scope and impact. If an attacker can get a victim to view a specially crafted picture (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash the viewing application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. However, the attacker could also leverage other flaws in Apple’s alert to gain complete control of your user’s Mac.
- Disk Images Code Execution Vulnerabilities. Disk Images is the OS X component that mounts the DMG disk image files commonly used to install software on Mac computers. Apple’s OS X update fixes two code execution vulnerabilities in Disk Images. Though they differ technically, an attacker could leverage both in the same way. By enticing you to mount a malicious DMG file, an attacker could exploit either of these flaws to execute code on your computer, with your privileges. Like the previous flaws, the attacker could then leverage other vulnerabilities to gain complete control of your Mac.
Apple’s alert also describes many other vulnerabilities, including some Denial of Service (DoS) flaws, information disclosure issues, and Cross Site Scripting (XSS) vulnerabilities. Components patched by this security update include:
| AppKit | Application Firewall |
| AFP Server | Apache |
| ClamAV | CoreAudio |
| CoreMedia | CoreTypes |
| CUPS | curl |
| Cyrus IMAP | Cyrus SASL |
| Desktop Services | Disk Images |
| Directory Services | Dovecot |
| Event Monitor | FreeRADIUS |
| FTP Server | iChat Server |
| ImageIO | Image RAW |
| Libsystem | |
| Mailman | MySQL |
| OS Services | Password Server |
| perl | PHP |
| Podcast Producer | Preferences |
| PS Normalizer | Quicktime |
| Ruby | Server Admin |
| SMB | Tomcat |
| unzip | vim |
| Wiki Server | X11 |
| xar |
Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details
As an aside, if you haven’t installed the Safari update Apple released earlier this month, we recommend you install it as well.
Solution Path:
Apple has released OS X Security Update 2010-002 and 10.6.3 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.
- Security Update 2010-001 (Leopard)
- Security Update 2010-001 (Leopard Server)
- Mac OS X v10.6.3 Update (Snow Leopard)
- Mac OS X v10.6.3 Update (Snow Leopard Combo)
- Mac OS X Server v10.6.3 Update (Snow Leopard Server)
- Mac OS X Server v10.6.3 Update (Snow Leopard Server Combo)
Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.
For All Users:
These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.
Status:
Apple has released updates to fix these issues.
References:
This alert was researched and written by Corey Nachreiner, CISSP.