Severity: High
Summary:
- These vulnerabilities affect: All current versions of OS X 10.6.x (Snow Leopard) and OS X 10.7.x (Lion).
- How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various images or media files.
- Impact: Various results; in the worst case, an attacker executes code on your user’s computer. Attackers could combine these issues to gain full control of your Mac.
- What to do: OS X administrators should download, test and install OS X 10.7.4 or Security Update 2012-002 as soon as possible, or let Apple’s Software updater do it for you.
Exposure:
Late Yesterday, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 36 (number based on CVE-IDs) security issues in 19 components that ship as part of OS X or OS X Server, including QuickTime, the Kernel, Time Machine, and many others. Some of the corrected vulnerabilities include:
- Local File Vault Password Disclosure Vulnerability. File Vault is an OS X component that encrypts files on a Mac, while Login Window is the component that allows you to log in to your Mac. Earlier this week, researchers disclosed a flaw in Apple’s File Vault that potentially exposes your password locally. The researcher found that when you upgrade OS X Snow Leopard to OS X Lion, the upgrade process sets a debug flag, which results in your passwords being stored to a local log file, in clear text. This means anyone with local access to that Mac can see the passwords for everyone that logged into that system. Today’s Login Window update corrects this issue, preventing your passwords from being stored in this file. However, it does not clear out any existing passwords already in the log. To learn how to manually clear these logs, see this article.
- Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle and display various images. It suffers from four security vulnerabilities (two being buffer overflow vulnerabilities) involving the way it handles TIFF image files. Though these vulnerabilities differ technically, most of them share the same general scope and impact. If an attacker can trick you into viewing a specially crafted image file (perhaps hosted on a malicious website), he could exploit the worst of these flaws to either crash an image application or to execute attack code on your Mac, with your privileges. The attacker could also exploit other vulnerabilities described in Apple’s alert to gain full control of your Mac.
- Several QuickTime Vulnerabilities. QuickTime is the popular video and media player that ships with OS X (and iTunes). QuickTime suffers from four security issues (number based on CVE-IDs) involving how it handles certain video files and streaming media. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted content in QuickTime, she could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, attackers could then leverage other flaws described in Apple’s alert to gain complete control of your Mac.
Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, elevation of privilege vulnerabilities, and information disclosure flaws. Components patched by this security update include:
| Login Window | Bluetooth |
| curl | Directory Service |
| HFS | ImageIO |
| Kernel | libarchive |
| libsecurity | libxml |
| LoginUIFramework | PHP |
| Quartz Composer | Quicktime |
| Ruby | Samba |
| Security Framework | Time Machine |
| X11 |
Please refer to Apple’s OS X 10.6.x and 10.7.x alert for more details.
Note: Apple also released a Safari alert and update, which fixes four vulnerabilities in the Mac and Windows version of Apple’s web browser. Attackers could leverage at least one of these flaws in a drive-by download attack. If you use Safari on a Mac or PC, you should update it to version 5.1.7, or let Apple’s automatic updater do it for you.
Solution Path:
Apple has released OS X Security Update 2012-002 and OS X 10.7.4 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can, or let Apple’s automatic Software Update utility do it for you.
- OS X Lion Update 10.7.4 (Client)
- OS X Lion Update 10.7.4 (Client Combo)
- OS X Lion Update 10.7.4 (Server)
- OS X Lion Update 10.7.4 (Server) Combo
- Security Update 2012-002 Server (Snow Leopard)
- Security Update 2012-002 (Snow Leopard)
Mac or PC Safari users should also update it to version 5.1.7.
For All Users:
These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack. Therefore, installing these updates is the most secure course of action.
Status:
Apple has released updates to fix these flaws.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).