Summary:
- These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
- How an attacker exploits them: Multiple vectors of attack, including visiting malicious websites or downloading and viewing various malicious media files
- Impact: Various results; in the worst case, an attacker executes code on your user’s computer, potentially gaining full control of it
- What to do: OS X administrators should download, test and install Security Update 2010-004 or the 10.6.4 update as soon as possible, or let Apple’s Software updater do it for you.
Exposure:
Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes 28 (number based on CVE-IDs) security issues in 17 components that ship as part of OS X, including iChat, ImageIO, and Help Viewer. Some of these vulnerabilities allow attackers to gain full control of your OS X machines, so we rate this update Critical. Apply it as soon as you can. Some of the fixed vulnerabilities include:
- Multiple ImageIO Memory Corruption Vulnerabilities. ImageIO is an OS X component that helps the operating system handle various types of graphical media. It suffers from memory-related vulnerabilities involving the way it handles certain types of images (TIFF) and movies (MPEG 2 encoded). Though the vulnerabilities differ technically, they share a very similar scope and impact. If an attacker can get a victim to view a specially crafted picture or movie (perhaps hosted on a malicious website), he could exploit one of these flaws to either crash the viewing application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. However, the attacker could also leverage other flaws in Apple’s alert to gain complete control of your user’s Mac.
- Network Authorization Code Execution Vulnerability. Network Authorization is an OS X component that handles authenticating users over a network. According to Apple, the Network Authorization component does not properly handle specially crafted URLs that begin with the afp:, cifs:, or smb: URI schemes. By enticing one of your users to a web site containing specially crafted links, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. Network Authorization also suffers from an elevation of privilege vulnerability that could allow a local unprivileged user to gain complete system privileges on your Mac.
- Multiple Kerberos Vulnerabilities. OS X’s kerberos component suffers from three different security vulnerabilities. The worst vulnerability has to do with a flaw in how kerberos handles specially crafted messages using AES or RC4 encryption. By sending a specially crafted, encrypted message to your kerberos KDC server, an unauthenticated attacker can exploit this vulnerability to execute code on your computer, gaining complete control of your Mac. Of course, you need to have a kerberos KDS server configured on one of your OS X computers to be vulnerable to this issue. The remaining two kerberos flaws include a second code execution vulnerability and a Denial of Service (DoS) issue.
Apple’s alert also describes many other vulnerabilities, including more Denial of Service (DoS) flaws, information disclosure issues, and Cross Site Scripting (XSS) vulnerabilities. Components patched by this security update include:
| CUPS | DesktopServices |
| Flash Player plug-in | Folder Manager |
| Help Viewer | iChat |
| ImageIO | Kerberos |
| libcurl | Network Authorization |
| Open Directory | Printer Setup |
| Printing | Ruby |
| SMB File Server | SquirrelMail |
| Wiki Server |
Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.
Solution Path:
Apple has released OS X Security Update 2010-004 and OS X 10.6.4 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.
- Mac OS X v10.6.4 Update
- Mac OS X v10.6.4 Update (Combo)
- Mac OS X Server v10.6.4 Update
- Mac OS X Server v10.6.4 Update (Combo)
- Mac OS X v10.6.4 Update Mac mini (Mid 2010)
- Mac OS X Server v10.6.4 Update Mac mini (Mid 2010)
Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.
For All Users:
These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.
Status:
Apple has released updates to fix this flaw.