Severity: High
18 December, 2007
Summary:
- These vulnerabilities affect: OS X 10.4.x (Tiger) and 10.5.x (Leopard)
- How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site or download and open a booby-trapped file
- Impact: More than 30 flaws; various results. In the worst case, attacker executes code on your user’s computer, potentially gaining control of it
- What to do: Install Apple security update 2007-009
Exposure:
Today, Apple released a security update fixing over 30 security issues in software packages that ship as part of OS X 10.4.x and 10.5.x, including Safari, Mail, and iChat. Many of these vulnerabilities allow attackers to execute any code they choose on your OS X machines, so we rate this update Critical. Apply it as soon as you can. Some of the fixed vulnerabilities include:
- Format string vulnerability in Address Book. Address Book is an OS X application that allows you to store and organize your contact information. According to Apple, Address Book suffers from a format string vulnerability involving the way it handles specially malformed URLs. By enticing one of your OS X users to a malicious web site, an attacker can exploit this vulnerability to execute code on your user’s machine, with that user’s privileges. The attacker could then leverage other vulnerabilities (described in Apple’s update) to obtain full control of that user’s machine.
- ColorSync memory corruption vulnerability. ColorSync is OS X’s color management software. It suffers from an unspecified memory corruption vulnerability involving the way it handles specially crafted ColorSync profiles embedded into image files. By enticing one of your users into opening a malicious image, or into visiting a web site hosting that image file, an attacker can exploit this flaw to execute malicious code on your user’s computers, with that user’s privileges. Again, an attacker could also exploit other flaws (described in Apple’s update) to gain complete control of that user’s machine.
- Memory corruption vulnerability in Safari RSS. Safari, OS X’s web browser, ships with an RSS component to allow you to subscribe to news feeds like the WatchGuard Wire. Unfortunately, Safari RSS suffers from an unspecified memory corruption vulnerability involving the way it handles maliciously crafted RSS feeds. If an attacker can entice one of your users to visit a malicious RSS feed, he can exploit this flaw to execute code on that user’s computer, then exploit other flaws to gain complete control of that computer.
Apple’s alert includes over 28 more flaws, including many more code execution flaws besides the ones described above. The remaining vulnerabilities also include Denial of Service (DoS) flaws, elevation of privilege flaws, and even a Cross-Site Scripting (XSS) flaw, plus others. Components patched by this security update include:
| CFNetwork | Core Foundation |
| CUPS | Desktop Services |
| Flash Player Plug-in | GNU tar |
| iChat | IO Storage Family |
| Launch Services | |
| perl | python |
| Quicklook | ruby |
| Safari | Samba |
| Shockwave Plug-in | SMB |
| Software Update | Spin Tracer |
| Spotlight | tcpdump |
| XQuery |
Refer to Apple’s alert for more details.
In a separate bulletin, Apple also fixed an XSS vulnerability in Safari 3 for Windows BETA. For more details, see Apple’s Safari for Windows bulletin. If you use Safari 3 for Windows on your network, install the patch.
Solution Path:
Apple has released updates to fix these vulnerabilities for both OS X 10.4.11 and 10.5.1. Apple OS X administrators should download, test, and deploy the appropriate updates as soon as possible.
- Security Update 2007-009 (10.4.11 Universal) [DMG File]
- Security Update 2007-009 (10.4.11 PPC) [DMG File]
- Security Update 2007-009 (10.5.1) [DMG File]
Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend you let OS X’s Software Update utility automatically pick the correct update for you.
For All Users:
These flaws support diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). The most secure course of action is to install the updates.
Status:
Apple released updates to fix these issues.
