Last week, Apple released an OS X update that fixed 52 security vulnerabilities. However, customers have reported that the Snow Leopard (10.6.x) version of the update causes problems with Rosetta — a component that allows Intel Macs to run PowerPC programs. In response, Apple has revised their original advisory, and released a new version of the Snow Leopard update.
If you use Snow Leopard, and you downloaded Apple’s update on February 1, you should download the revised v1.1 update from the Apple Software Download page. Apple doesn’t appear to have changed the text on their download page to reflect this new version. However, they did share new checksums for the revised updates in their email security advisory. You can find those SHA-1 checksums below:
For Mac OS X v10.6.8
- Download file name: SecUpd2012-001Snow.dmg
- SHA-1 digest: 29218a1a28efecd15b3033922d71f0441390490a
For Mac OS X Server v10.6.8
- Download file name: SecUpdSrvr2012-001.dmg
- SHA-1 digest: 105bdebf2e07fc5c0127f482276ccb7b6b631199
Summary:
- These vulnerabilities affect: All current versions of OS X 10.6.x (Snow Leopard) and OS X 10.7.x (Lion)
- How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various document or media files
- Impact: Various results; in the worst case, an attacker executes code on your user’s computer
- What to do: OS X administrators should download, test and install OS X 10.7.3 or Security Update 2012-001 as soon as possible, or let Apple’s Software updater do it for you.
Exposure:
Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 52 (number based on CVE-IDs) security issues in 27 components that ship as part of OS X or OS X Server, including Apache, Quicktime, and Time Machine. Some of the fixed vulnerabilities include:
- Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from various security vulnerabilities (including some buffer overflow vulnerabilities) involving the way it handles certain types of image files. Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include TIFF and PNG.
- CoreAudio Buffer Overflow Vulnerability. CoreAudio is a component that helps OS X play audio content. It suffers from a buffer overflow vulnerability. By enticing you to play a specially crafted audio file, an attacker would exploit this flaw to either crash your system, or execute code with your privileges.
- Several Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from six security issues (number based on CVE-IDs) involving how it handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, she could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.
Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, elevation of privilege vulnerabilities, and information disclosure flaws. Components patched by this security update include:
| Apache | ATS |
| CFNetwork | ColorSync |
| CoreAudio | CoreMedia |
| CoreText | CoreUI |
| curl | Data Security |
| dovecot | filecmds |
| ImageIO | Internet Sharing |
| Libinfo | libresolv |
| libsecurity | OpenGL |
| PHP | QuickTime |
| SquirrelMail | Subversion |
| Time Machine | Tomcat |
| WebDAV Sharing | Webmail |
| X11 |
Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.
Solution Path:
Apple has released OS X Security Update 2012-001 and OS X 10.7.3 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can, or let Apple’s automatic Software Update utility do it for you
- OS X Lion Update 10.7.3 (Client)
- OS X Lion Update 10.7.3 (Client Combo)
- OS X Lion Update 10.7.3 (Server)
- OS X Lion Update 10.7.3 (Server) Combo
- Security Update 2012-001 Server (Snow Leopard)
- Security Update 2012-001 (Snow Leopard)
Note: Some of these updates are rather large (700MB or greater), and all require a reboot.
For All Users:
These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.
Status:
Apple has released updates to fix these flaws.
References:
This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)