• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Apple OS X Patch Corrects Clear Text Password Issue

May 10, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.6.x (Snow Leopard) and OS X 10.7.x (Lion).
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various images or media files.
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer. Attackers could combine these issues to gain full control of your Mac.
  • What to do: OS X administrators should download, test and install OS X 10.7.4 or Security Update 2012-002 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Late Yesterday, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 36 (number based on CVE-IDs) security issues in 19  components that ship as part of OS X or OS X Server, including QuickTime, the Kernel, Time Machine, and many others. Some of the corrected vulnerabilities include:

  • Local File Vault Password Disclosure Vulnerability. File Vault is an OS X component that encrypts files on a Mac, while Login Window is the component that allows you to log in to your Mac. Earlier this week, researchers disclosed a flaw in Apple’s File Vault that potentially exposes your password locally. The researcher found that when you upgrade OS X Snow Leopard to OS X Lion, the upgrade process sets a debug flag, which results in your passwords being stored to a local log file, in clear text. This means anyone with local access to that Mac can see the passwords for everyone that logged into that system.  Today’s Login Window update corrects this issue, preventing your passwords from being stored in this file. However, it does not clear out any existing passwords already in the log. To learn how to manually clear these logs, see this article.
  • Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle and display various images. It suffers from four security vulnerabilities (two being buffer overflow vulnerabilities) involving the way it handles TIFF image files. Though these vulnerabilities differ technically, most of them share the same general scope and impact. If an attacker can trick you into viewing a specially crafted image file (perhaps hosted on a malicious website), he could exploit the worst of these flaws to either crash an image application or to execute attack code on your Mac, with your privileges. The attacker could also exploit other vulnerabilities described in Apple’s alert to gain full control of your Mac.
  • Several QuickTime Vulnerabilities. QuickTime is the popular video and media player that ships with OS X (and iTunes). QuickTime suffers from four security issues (number based on CVE-IDs) involving how it handles certain  video files and streaming media. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted content in QuickTime, she could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, attackers could then leverage other flaws described in Apple’s alert to gain complete control of your Mac.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, elevation of privilege vulnerabilities, and information disclosure flaws. Components patched by this security update include:

Login WindowBluetooth
curlDirectory Service
HFSImageIO
Kernellibarchive
libsecuritylibxml
LoginUIFrameworkPHP
Quartz ComposerQuicktime
RubySamba
Security FrameworkTime Machine
X11

Please refer to Apple’s OS X 10.6.x and 10.7.x alert for more details.

Note: Apple also released a Safari alert and update, which fixes four vulnerabilities in the Mac and Windows version of Apple’s web browser. Attackers could leverage at least one of these flaws in a drive-by download attack. If you use Safari on a Mac or PC, you should update it to version 5.1.7, or let Apple’s automatic updater do it for you.

Solution Path:

Apple has released OS X Security Update 2012-002 and OS X 10.7.4 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can, or let Apple’s automatic Software Update utility do it for you.

  • OS X Lion Update 10.7.4 (Client)
  • OS X Lion Update 10.7.4 (Client Combo)
  • OS X Lion Update 10.7.4 (Server)
  • OS X Lion Update 10.7.4 (Server) Combo
  • Security Update 2012-002 Server (Snow Leopard)
  • Security Update 2012-002 (Snow Leopard)


Mac or PC Safari users should also update it to version 5.1.7.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack. Therefore, installing these updates is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

  • May 2012 OS X  Security Update
  • May 2012 Safari  Security Update

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Share This:

Related

Filed Under: Security Bytes Tagged With: Apple, filevault

Comments

  1. andria says

    May 29, 2012 at 1:48 am

    Apple OS X Patch Corrects Clear Text Password Issue

    Reply
  2. apple security says

    October 24, 2013 at 11:53 pm

    Did you do your site alone? I got help at
    apple security http://www.legalnursenetwork.com/

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity’s Toll on Mental Health
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Cybersecurity’s Toll on Mental Health
  • Successfully Prosecuting a Russian Hacker
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use