Mac Season

If you're new to MacSeason.com and like what you see, you may want to subscribe to our RSS feed.

A month and a half has past since the Month of Apple Bugs (MOAB) ended so in view of the latest update from Apple I thought it would be appropriate with a status on where we are. Below is the complete list of the bugs revealed and the status of each one of them - do let me know if I have missed anything.

Those marked CVE-ID are all official fixed published by Apple and they are available from www.apple.com

• MOAB-01-01-2007 | CVE-ID: CVE-2007-0015 (2007-001)
• MOAB-02-01-2007 | VLC official fix
• MOAB-03-01-2007 | CVE-ID: CVE-2006-6061 (2007-003)
• MOAB-04-01-2007 | CVE-ID: CVE-2007-0051 (2007-003)
• MOAB-05-01-2007 | Unofficial fix / work-around
• MOAB-06-01-2007 | CVE-ID: CVE-2007-0719 (2007-003)
• MOAB-07-01-2007 | OmniWeb official fix
• MOAB-08-01-2007 | Unofficial fix / work-around
• MOAB-09-01-2007 | CVE-ID: CVE-2007-0197 (2007-002)
• MOAB-10-01-2007 | CVE-ID: CVE-2007-0229 (2007-003)
• MOAB-11-01-2007 | CVE-ID: CVE-2007-0267 (2007-003)
• MOAB-12-01-2007 | CVE-ID: CVE-2007-0299 (2007-003)
• MOAB-13-11-2007 | CVE-ID: CVE-2007-0318 (2007-003)
• MOAB-14-01-2007 | CVE-ID: CVE-2007-0236 (2007-003)
• MOAB-15-01-2007 | Discussion / fix / work-around
• MOAB-16-01-2007 | Colloquy official fix
• MOAB-17-01-2007 | Unofficial fix / work-around
• MOAB-18-01-2007 | Maxum official fix
• MOAB-19-01-2007 | Panic Software official fix
• MOAB-20-01-2007 | CVE-ID: CVE-2006-6062 (2007-003)
• MOAB-21-01-2007 | CVE-ID: CVE-2006-5679 (2007-003)
• MOAB-22-01-2007 | CVE-ID: CVE-2007-0023 (2007-002)
• MOAB-23-01-2007 | CVE-ID: CVE-2007-0588 (2007-003)
• MOAB-24-01-2007 | CVE-ID: CVE-2007-0463 (2007-003)
• MOAB-25-01-2007 | Discussion / fix / work-around
• MOAB-26-01-2007 | CVE-ID: CVE-2007-0465 (2007-004)
• MOAB-27-01-2007 | Unofficial fix / work-around
• MOAB-28-01-2007 | CVE-ID: CVE-2007-0467 (2007-003)
• MOAB-29-01-2007 | CVE-ID: CVE-2007-0614 (2007-002)
• MOAB-30-01-2007 | CVE-ID: CVE-2007-0646 (2007-004)
• MOAB-31-01-2007 | There was no MOAB-31-01-2007

Apple has released a security update which takes care of a number of security issues adressed during the “Month of Apple Bugs” as follows:

Finder

CVE-ID: CVE-2007-0197

Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8

Impact:

Mounting a maliciously-crafted disk image may lead to an application crash or arbitrary code execution

Description:

A buffer overflow exists in Finder’s handling of volume names. By enticing a user to mount a malicious disk image, an attacker could trigger this issue, which may lead to an application crash or arbitrary code execution. A proof of concept for this issue has been published on the “Month of Apple Bugs” website (MOAB-09-01-2007). This update addresses the issue by performing additional validation of disk images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.

iChat

CVE-ID: CVE-2007-0614, CVE-2007-0710

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8

Impact:

Attackers on the local network may be able to cause iChat to crash

Description:

A null pointer dereference in iChat’s Bonjour message handling could allow a local network attacker to cause an application crash. A proof of concept for this issue in Mac OS X v10.4 has been published on the “Month of Apple Bugs” website (MOAB-29-01-2007). A similar issue exists in Mac OS X v10.3. This update addresses the issues by performing additional validation of Bonjour messages.

iChat

CVE-ID: CVE-2007-0021

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8

Impact:

Visiting malicious websites may lead to an application crash or arbitrary code execution

Description:

A format string vulnerability exists in the iChat AIM URL handler. By enticing a user to access a maliciously-crafted AIM URL, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. A proof of concept for this issue has been published on the “Month of Apple Bugs” website (MOAB-20-01-2007). This update addresses the issue by performing additional validation of AIM URLs.

UserNotification

CVE-ID: CVE-2007-0023

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8

Impact:

Malicious local users may be able to obtain system privileges

Description:

The UserNotificationCenter process runs with elevated privileges in the context of a local user. This may allow a malicious local user to overwrite or modify system files. A program that triggers this issue has been published on the “Month of Apple Bugs” website (MOAB-22-01-2007). This update addresses the issue by having UserNotificationCenter drop its group privileges immediately after launching.

I have installed the updated with no problems - the update required a restart of the machine.

Get it from Apple Support Downloads or via your Software Update.

This is a 6.6 MB download

Bonjour, also known as zero-configuration networking, enables automatic discovery of computers, devices, and services on IP networks. Bonjour uses industry standard IP protocols to allow devices to automatically discover each other without the need to enter IP addresses or configure DNS servers.

Apple iChat Bonjour functionality is affected by several denial of service flaws. The most simple of them is the lack of throttling for discovery of available contacts (via mDNS queries). iChat will add any advertised _presence._tcp records, without even verifying if some of them already exist (ex. match first or last name, AIM handle, etc). A malicious user could advertise fake records and successfully block iChat users using Bonjour from discovering further peers in the network and having reliable communications.

The other issue can be used remotely to directly cause an exception in the iChat Agent when parsing a crafted TXT key hash. This will instantly cause a SIGTRAP signal to be sent to the process, causing a so-called ‘crash’. Further attempts to launch iChat Bonjour functionality again will fail as mDNSResponder keeps the crafted record (and restarting it will be necessary). These particular issues can’t be abused for arbitrary code execution.

Note: this should be considered an issue in mDNSResponder as well; iChat isn’t involved in the processing of any mDNS service advertisements (although it should definitely throttle presence queries). mDNSResponder stops responding shortly after abuse.

Workaround or temporary solution

For instance, either don’t use iChat with Bonjour or disable mDNSResponder all the way. You don’t want to be (another) nevaR reldA, seriously.

$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
$ sudo mv /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist \
/Users/Shared/com.apple.mDNSResponder.plist.BACKUP

Full details
Note: Safari might crash visiting this site

The 28th bug has been posted in the series of “Month of Apple Bugs” published on the web every day in January 2007 - this time an Apple crashdump Privilege Escalation Vulnerability.

crashreporterd is the daemon responsible for detecting application crashes. crashreporterd listens for mach exceptions and when it detects a mach exception launches crashdump to investigate the crash and report it to the user.

crashdump is a helper tool used by the crashreporterd daemon to create crash reports and notify the user of application crashes. Users should not run crashdump manually.

crashdump will try to write reports at the user home directory first (/Users/[user]/Library/Logs/CrashReporter/), and if it’s not available (ex. permissions don’t allow it), it will try the system-wide log directory instead (ex. /Library/Logs/CrashReporter/).

The problem is that it will follow symlinks, and users in the admin group have write access to the directory. As crashreporterd runs under root privileges, any file can be modified by planting a symlink in the /Library/Logs/CrashReporter/ directory, named like the application that will cause the crash dump. We can influence the output by tampering with the Mach-O format. The provided proof of concept demonstrates this by using crafted library names within the binary that triggers the issue.

Exploitation of this issue allows admin-group users (contrary to MOAB-22-01-2007 which allows any user) to gain root privileges without interaction of any type.

Full details

The 27th bug has been posted in the series of “Month of Apple Bugs” published on the web every day in January 2007 - this time a Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability.

Flip4Macâ„¢ WMV is a collection of QuickTime components that allow you to play, import, and export Windows Media video and audio files on your Mac using your favorite QuickTime-based applications.

WMV files use the Advanced Systems Format (ASF) container format, originally supported for Macintosh systems via Microsoft’s “Windows Media Player for Mac”. Since Microsoft decided to stop development of it’s Mac-port of WM Player, Flip4Mac became the ‘endorsed’, somehow official solution.

It fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.

Workaround or temporary solution

Disable Flip4Mac and/or automated opening of WMV files, and wait for a patch to be released by the vendor

Full details

The 26th bug has been posted in the series of “Month of Apple Bugs” published on the web every day in January 2007 - this time an Apple Installer Package Filename Format String Vulnerability.

Apple Installer is the application in charge of handling the installation of packages for Mac OS X, in form of pkg, distz and mpkg files.

Installer fails to properly handle package filename strings. It’s a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

Full details

Panic Software has released an official fix for the vulnerability addressed during the Month of Apple Bugs

Details of the update:

Fixes potential security vulnerability with FTP and FTPS URL handlers

I have installed the update with no problems - you can pick up the new version from the developer’s site

The 25th bug has been posted in the series of “Month of Apple Bugs” published on the web every day in January 2007 - this time Apple CFNetwork HTTP Response Denial of Service.

CFNetwork is a framework in the Core Services framework that provides a library of abstractions for network protocols.

CFNetwork fails to handle certain HTTP responses properly, causing the _CFNetConnectionWillEnqueueRequests() function to dereference a NULL pointer, leading to a denial of service condition exploitable by a server sending a crafted response to a client application making use of this API.

Workaround or temporary solution

Perform sanity checking of HTTP responses received via CFNetwork API. Wait for Apple to add further checks and fix the _CFNetConnectionWillEnqueueRequests() API.

Full details

The 24th bug has been posted in the series of “Month of Apple Bugs” published on the web every day in January 2007 - this time an Apple Software Update Catalog Filename Format String Vulnerability.

Apple Software Update is used for delivering patches to end-users, such as the Apple Security Update 2007-001. It relies on the HTTP protocol for retrieving files associated with each available patch, and handles the application/x-apple.sucatalog+xml MIME type and the sucatalog and swutmp file extensions.

Software Update fails to properly handle the filename strings containing the swutmp extension. It’s a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

Full details

The 23rd bug has been posted in the series of “Month of Apple Bugs” published on the web every day in January 2007 - this time a Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability.

..a collection of system software routines that your application can use to perform most image-manipulation operations on Macintosh computers.

QuickDraw is integrated in Mac OS X since very early versions, used by Quicktime and any other application that needs to handle PICT images. A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition (ex. denial of service, so-called crash, which can be used to gain root privileges in combination with MOAB-22-01-2007).

Workaround or temporary solution

Use RCdefaultApp to disable any file and MIME type associations related with PICT files. This is necessary for preventing Quicktime and specially Safari or any other application to automatically load a malicious image exploiting this issue.

Full details