Major security update for Mac OS X

Stephen Withers
Friday, 20 April 2007 10:12

Your IT - Home IT

Apple has released a wide-ranging security update for Mac OS X. It's the fourth for the year, which has us wondering if the company's moving to a monthly schedule

Security Update 2007-004 covers Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4.9 and Mac OS X Server v10.4.9, and delivers over two dozen patches for various components. Some systems are the target of multiple patches.

Several of the bugs allow local users to obtain system privileges or execute code with elevated privileges. These are probably not very important for the average single-user Mac, but may be significant in corporate or educational environments. Also in this category are a pair of fixes to prevent a user bypassing the login and screen saver authentication dialogs.

Also in this general category is a SMB networking related issue that exposed authentication credentials to other local users.

More serious flaws fixed by 2007-004 include improved validation of UFS file systems to avoid an exploit involving maliciously crafted disk image files, improved validation of tar files for similar reasons, improved error reporting in Libinfo to avoid the possibility of a malicious web page from executing arbitrary code.

Also significant are fixes to Installer and Help Viewer to prevent format string exploits, to the VideoConference framework used by iChat to prevent an exploitable buffer overflow, and to WebFoundation to prevent leakage of cookie information from subdomains to their parents.

A potentially serious problem in Internet Sharing has been fixed, although in these days of inexpensive routers that facility is rarely used except perhaps in Mac OS X Server. A buffer overflow may be exploited by sending maliciously-crafted RTSP packets to the system, with the possibility of arbitrary code execution.

One of the flaws addressed by the update was reported to Apple by Kevin Finisterre of Digital Munitions and the Month of Apple Bugs, while another was reported by Landon Fuller, the leader of the MoAB Fixes project that developed temporary patches for flaws publicised by Finisterre and 'LMH' during January 2007.

2007-004 includes a IOKit fix originally distributed in the Mac OS X 10.4.9 update, but according to Apple's release notes "due to a packaging issue it may not have been delivered to all systems." The issue it addresses is relatively serious, as it allowed any logged-in user to capture console keystrokes.