Apple plugs 88 Mac OS X security holes

[terry]

Apple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping 88 documented vulnerabilities.

The Mac OS X v10.6.3 update, which is considered “critical,” covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.

In some scenarios, a malicious hacker could take complete control of a Mac-powered machine if a user simply views a malicious image or movie file.

In another case, a Mac user running spell-check could have his/her machine hijacked by hackers.

The update covers critical vulnerabilities in AppKit, QuickTime,CoreMedia, CoreTypes, DiskImages, ImageIO and Image RAW.

It also covers holes in several open-source components, including Apache, ClamAV, MySQL, PHP.

ZD Net has the full article, click here.

[Cleo]

I installed it earlier today. It was almost a half a gig in size.

So far everything seems exactly the same.

[Cleo]

Here is the complete list.

Apple today posted Mac OS X 10.6.3, along with a corresponding Server 10.6.3 update, plus a Security Update 2010-002 for Leopard (10.5.8) and a Server Security 2010-002 update for Server 10.5.8. (There's no security update for Mac OS X 10.4 "Tiger", which appears to no longer be supported.) The updates address a long list of security flaws and other bugs, including the following:

improve the reliability and compatibility of QuickTime X
address compatibility issues with OpenGL-based applications
address an issue that causes background message colors to display incorrectly in Mail
resolve an issue that prevented files with the # or & characters in their names from opening in Rosetta applications
resolve an issue that prevented files from copying to Windows file servers
improve performance of Logic Pro 9 and Main Stage 2 when running in 64-bit mode
improve sleep and wake reliability when using Bonjour wake on demand
address a color issue in iMovie with HD content
improve printing reliability
resolve issues with recurring events in iCal when connected to an Exchange server
improve the reliability of 3rd party USB input devices
fix glowing, stuck, or dark pixels when viewing video from the iMac (Late 2009) built-in iSight camera
AppKit: Spell checking a maliciously crafted document may lead to an unexpected application termination or arbitrary code execution
Application Firewall: Certain rules in the Application Firewall may become inactive after restart
AFP Server: When guest access is disabled, a remote user may be able to mount AFP shares as a guest. A remote user with guest access to an AFP share may access the contents of world-readable files outside the Public share
Apache: A remote attacker may be able to bypass access control restrictions
ClamAV: ClamAV virus definitions may not receive updates
CoreAudio and CoreMedia: Playing maliciously crafted audio content or movie file may lead to an unexpected application termination or arbitrary code execution
CoreTypes: Users are not warned before opening certain potentially unsafe content types
CUPS: A local user may be able to obtain system privileges
curl: A man-in-the-middle attacker may be able to impersonate a trusted server
curl: Using curl with -L may allow a remote attacker to read or write local files
Cyrus: A local user may be able to obtain the privileges of the Cyrus user. An unauthenticated remote attacker may cause unexpected application termination or arbitrary code execution
DesktopServices: Items copied in the Finder may be assigned an unexpected file owner. A remote attacker may gain access to user data via a multi- stage attack
Disk Images: Mounting a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution
Directory Services: A local user may obtain system privileges
Dovecot: An authenticated user may be able to send and receive mail even if the user is not on the SACL of users who are permitted to do so
Event Monitor: A remote attacker may cause arbitrary systems to be added to the firewall blacklist
FreeRADIUS: A remote attacker may obtain access to a network via RADIUS authentication
FTP Server: Users may be able to retrieve files outside the FTP root directory
iChat Server: A remote attacker may be able to cause a denial of service. Chat messages may not be logged. An authenticated user may be able to cause an unexpected application termination or arbitrary code execution
ImageIO: Viewing a maliciously crafted JP2 or TIFF image may lead to an unexpected application termination or arbitrary code execution. Visiting a maliciously crafted website may result in sending data from Safari's memory to the website
Image RAW: Viewing a maliciously crafted NEF or PEF image may lead to an unexpected application termination or arbitrary code execution.
Libsystem: Applications that convert untrusted data between binary floating point and text may be vulnerable to an unexpected application termination or arbitrary code execution
Mail: Rules associated with a deleted mail account remain in effect. Mail may use a weaker encryption key for outgoing email
Mailman: Multiple vulnerabilities in Mailman 2.1.9
MySQL: Multiple vulnerabilities in MySQL 5.0.82
OS Services: A local user may be able to obtain elevated privileges
Password Server: A remote attacker may be able to log in with an outdated password
perl: A local user may cause arbitrary files to be deleted
PHP: Multiple vulnerabilities in PHP 5.3.0. Multiple vulnerabilities in PHP 5.2.11
Podcast Producer: An unauthorized user may be able to access a Podcast Composer workflow
Preferences: A network user may be able to bypass system login restrictions
PS Normalizer: Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution
QuickTime: Viewing a maliciously crafted movie or MPEG file may lead to an unexpected application termination or arbitrary code execution.
Ruby: Multiple issues in Ruby on Rails. Running a Ruby script that uses untrusted input to initialize a BigDecimal object may lead to an unexpected application termination.
Server Admin: A remote attacker may extract information from Open Directory. A former administrator may have unauthorized access to screen sharing.
SMB: A remote attacker may be able to cause a denial of service
Tomcat: Multiple vulnerabilities in Tomcat 6.0.18
unzip: Extracting maliciously crafted zip files using the unzip command tool may lead to an unexpected application termination or code execution
vim: Multiple vulnerabilities in vim 7.0
Wiki Server: Uploading a maliciously crafted applet may lead to the disclosure of sensitive information. An authenticated user may bypass weblog creation restrictions.
X11: Viewing a maliciously crafted image may lead to the disclosure of sensitive information. Displaying maliciously crafted data within an xterm terminal may lead to arbitrary code execution.
xar: A modified package may appear as validly signed

[terry]

Holy Crap!

[cd34]

The thing I find disappointing about security issues is the 'count' of exploits fixed. This is also done with Linux. Linux as a core is very secure, it is the applications running on it that are usually the problem. Just glancing at the list:

Apache, ClamAV, CUPS, curl, cyrus, Dovecot, FreeRadius, MySQL, Perl, PHP, Ruby, unzip, xar

are not software packages produced by Apple, yet, are included in the vulnerability count. They are packaged and redistributed through Apple's package manager but are they truly Apple vulnerabilities?

How many Windows development boxes not running the new MySQL are currently vulnerable? Is Microsoft going to push updates to perl, MySQL, php to machines that have it installed? Will Microsoft count vulnerabilities in those applications along with their own vulnerabilities?

Some Linux distributions have packaged over 12000 pieces of software. Vulnerabilities discovered in packages that people don't even use are counted as Linux security issues.

Oh well....