Apple Security Update RoundUp

Dave G. | May 12th, 2006 | Filed Under: Disclosure, Industry Punditry

Quicktime 7.1: 9+ vulnerabilities inside of quicktime, all various memory trespass vulnerabilities (stack/heap w/integer problems tossed in for good measure). All remotable via web browsers. Mike Price reported 7 of the issues, and clearly got his fuzz on.

Security Update 2006-003: 26 vulnerabilities, 5 are credited to outside researchers.

That’s around 35 vulnerabilities in one day!

AppKit/ImageIO: Secure text fields not so secure So?, overflow in applications that use ImageIO to read GIFs/TIFFs

Bom: Arbitrary code execution and directory traversal/file overwrites via ZIP files

CFNetwork: Chunked Encoding related Integer Overflow, impacts Safari and other applications

ClamAV: Arbitrary code execution, this is an update of ClamAV.

CoreFoundation: Untrusted bundles can get executed without a user being aware of it. This is because of a bundle API ‘feature’ that allows dynamic libraries to load and execute upon registration, even if the client application didnt request that to happen.

Integer underflow can result in arbitrary code execution in CFStringGetFileSystemRepresentation and the related NSFileManager’s getFileSystemRepresentation:maxLength:withPath:.

CoreGraphics: Secure text fields not so secure here either… Don’t worry about this one!

curl: Buffer overflows. Updates to libcurl version 7.15.1.

Finder: Code execution via Internet Location Items

FTPServer: Multiple issues result in Buffer Overflows in path name. Yah, I double checked the website. In the path. Multiple issues! It says authenticated users, I hope that doesnt include anonymous…

Flash Player Plug-in: Remote code execution in macromedia’s code. Update to Flash Player version 8.0.24.0.

Keychain: If an application obtained a reference to a Keychain item prior to it being locked, they can still access that item. Won’t keep me up at night

LaunchServices: Remote code execution via a bug in the code that determines whether or not downloaded content is safe. A long file extension can prevetn download validation from being performed properly.

Mail: MacMime Buffer Overflow and my personal favorite out of all of these:
“The handling of invalid color information in enriched text email messages could cause the allocation and initialization of arbitrary classes.”

MySQL Manager (Server): MySQL Password is set to blank even if during initial set up you explicitly set one.

Preview: Stack overflow via deep directory structures.

QuickDraw: Malicious PICT’s cause buffer overflows.

QuickTime Streaming Server (Server): Remote DoS plus remote buffer overflow

Ruby: Safe Level Bypass Don’t tell Dino!

Safari: Potential code execution/file manipulation via remote websites and symlink handling.

FWIW, securityd is explicitly mentioned in software update, but not on Apple’s Security Update Web Page. It is probably one of the aforementioned bugs…

So, in short, without the latest update, OS X is secure as long as you don’t look at any movies, images, websites, zip files, flash content or email messages.

Snarkiness aside, I like that a number of these vulnerabilities appear to have been found internally (assuming that is what uncredited vulnerabilities mean).