September 15th, 2008
Apple mega-patch covers 34 Mac OS X security issues
Apple has shipped another mega-update to address security vulnerabilities affecting Mac OS X users, warning that the most serious issues could lead to arbitrary code execution attacks.
The update, available for Tiger and Leopard, addresses a total of 34 documented vulnerabilities, some in third-party components like ClamAV, BIND, OpenSSH and Ruby.
It also provides fixes for the following Mac OS X flaws:
- CVE-2008-2305 — A heap buffer overflow exists in Apple Type Services’ handling of PostScript font names. Viewing a document containing a maliciously crafted font may lead to arbitrary code execution.
- CVE-2008-2329 — An information disclosure issue exists in Login Window when it is configured to authenticate users with Active Directory. By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed.
- CVE-2008-2330 — An insecure file operation issue exists in the slapconfig tool used for configuring OpenLDAP. A local user can cause
the password entered by a system administrator running slapconfig to be written to a file controlled by the user. - CVE-2008-2331 – Finder does not update the displayed permissions under some circumstances in a Get Info window. After clicking the lock button, changes to the filesystem Sharing & Permissions will take effect, but will not be displayed.
- CVE-2008-3613 — A null pointer dereference issue exists in the Finder when it searches for a remote disc. An attacker with access to the local network can cause Finder to exit immediately after it starts, making the system unusable.
- CVE-2008-2327 – Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
- CVE-2008-2332 — A memory corruption issue exits in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
- CVE-2008-3608 — A memory corruption issue exists in ImageIO’s handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution.
- CVE-2008-1382 — libpng in ImageIO is updated to version 1.2.29. CVE-2008-1382 is not known to affect the use of libpng in ImageIO, and this update is applied as a precautionary measure.
- CVE-2008-3609 — Cached credentials are not always flushed when a vnode is recycled. This may allow a local user to read or write to a file
where the permissions would not allow it. This update addresses the issue through improved handling of purged vnodes. - CVE-2008-1447 — libresolv provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, applications that rely on libresolv for DNS may receive forged information.
- CVE-2008-3610 — A race condition exists in Login Window. To trigger this issue, the system must have the Guest account enabled or another account with no password. In a small proportion of attempts, an attempt to log in to such an account will not complete. The user list would then be presented again, and the person would be able to log in as any user without providing a password. If the original account were the Guest account, the contents of the new account will be deleted on logout.
- CVE-2008-3611 – When a system has been configured to enforce policies on login passwords, users may be required to change their password in the login screen. If a password change fails, an error message is displayed, but the current password is not cleared. This may not be obvious to the user. If the user leaves the system unattended with this error message displayed, a person with access to the login
screen may be able to reset that user’s password. - CVE-2008-1447 – mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information.
- CVE-2008-3614 – An integer overflow exists in QuickDraw’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution.
- CVE-2008-3616 -- Integer overflow issues exist in functions within the SearchKit framework. Passing untrusted input to SearchKit via an application may lead to an unexpected application termination or arbitrary code execution.
- CVE-2008-2312 – Network Preferences stores PPP passwords unencrypted in a world readable file, accessible to any local user. This update addresses the issue by storing PPP passwords in the system keychain when the password is changed.
- CVE-2008-3617 — Remote Management and Screen Sharing can be configured to require a password for VNC viewers. The maximum length for VNC viewer passwords is eight characters. The password field can display more than eight characters, implying that the additional characters are used in the password.
Other documented vulnerabilities affect System Preferences, Time Machine, VideoConference and Wiki Server.
* Image source: DeclanTM’s Flickr photostream (Creative Commons 2.0)
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
