Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Mac support 
 » Linux support 
 » Windows PC support 

Critical: Mac OS X 10.5.5 & Security Update 2008-006 for Mac OS X 10.4

September 16, 2008

SCS Computing Facilities has received the following announcement from campus Computing Services.

Apple's normal smorgasbord of security fixes. Our own Chris Ries is once again credited for discovering one of the issues.

* The DNS client resolution library is FINALLY updated to add resilience against poisoning with query source port randomization.

* VNC viewer passwords are limited to only 8 characters even though the interface allowed entering more than 8 characters. Consider tunneling VNC through SSH if you need VNC viewer capability.

* Some interesting Login Window issues that may affect your lab setups

Title:

Mac OS X 10.5.5 & Security Update 2008-006 for Mac OS X 10.4

CMU Relevance:

Definitely used on campus

Severity:

Critical

Impact:

Remote Code Execution

Security Bypass

Information Disclosure

Denial of Service

Exploit Code Available:

Unknown

Affected Versions:

  • Mac OS X versions 10.4.11 and prior
  • Mac OS X Server versions 10.4.11 and prior
  • Mac OS X versions 10.5 through 10.5.4
  • Mac OS X Server versions 10.5 through 10.5.4

Vulnerability Details:

Multiple vulnerabilities have been identified in Apple Mac OS X, which could be exploited by remote or local attackers to disclose sensitive information, bypass security restrictions, cause a denial of service or compromise an affected system. These issues are caused by buffer overflow, insecure file, null pointer dereference, uninitialized memory access, memory corruption, race condition, integer overflow, input validation and design errors.

Note: fixes apply to all platforms unless otherwise noted.

ATS

Impact: A heap buffer overflow exists in Apple Type Services' handling of PostScript font names. Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.

BIND

Impact: BIND is updated to address performance issues. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P2. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P2.

ClamAV

Impact: ClamAV is updated to 0.93.3

Platform: Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4

Directory Services

Impact: A person with access to the login screen may be able to list user names. By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed.

Platform: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

Directory Services

Impact: A local user may obtain the server password if an OpenLDAP system administrator runs slapconfig

Platform: Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4

Finder

Impact: Finder does not update the displayed permissions under some circumstances in a Get Info window. After clicking the lock button, changes to the filesystem Sharing & Permissions will take effect, but will not be displayed.

Platform: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

Finder

Impact: An attacker with access to the local network may cause a denial of service. A null pointer dereference issue exists in the Finder when it searches for a remote disc.

Platform: Mac OS X v10.5.2, MacBook Air running Mac OS X v10.5.3, and MacBook Air running Mac OS X v10.5.4.

ImageIO

Impact: Viewing a maliciously crafted TIFF or JPEG image may lead to an unexpected application termination or arbitrary code execution. libpng in ImageIO is updated to version 1.2.29 (although the security fix in the new libpng is NOT known to affect ImageIO, applied as a precaution)

Kernel

Impact: Files may be accessed by a local user who does not have the proper permissions. Cached credentials are not always flushed when a vnode is recycled. This may allow a local user to read or write to a file where the permissions would not allow it.

Platform: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

libresolv

Impact: libresolv is susceptible to DNS cache poisoning and may return forged information

Login Window

Impact: A user may log in without providing a password. A race condition exists in Login Window. To trigger this issue, the system must have the Guest account enabled or another account with no password. In a small proportion of attempts, an attempt to log in to such an account will not complete. The user list would then be presented again, and the person would be able to log in as any user without providing a password. If the original account were the Guest account, the contents of the new account will be deleted on logout.

Platform: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

Login Window

Impact: A person with access to the login screen may be able to change a user's password. When a system has been configured to enforce policies on login passwords, users may be required to change their password in the login screen. If a password change fails, an error message is displayed, but the current password is not cleared. This may not be obvious to the user. If the user leaves the system unattended with this error message displayed, a person with access to the login screen may be able to reset that user's password.

Platform: Mac OS X v10.4.11, Mac OS X Server v10.4.11

mDNSResponder

Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information. mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience

OpenSSH

Impact: Multiple vulnerabilities in OpenSSH, the most serious of which is local X11 session control. Updated to OpenSSH 5.1p1.

QuickDraw Manager

Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution

Ruby

Impact: Running a Ruby script that uses untrusted input as the arguments to the Array#fill method may lead to an unexpected application termination or arbitrary code execution

SearchKit

Impact: Applications passing untrusted input to the SearchKit API may lead to an unexpected application termination or arbitrary code execution

System Configuration

Impact: A local user may obtain the PPP password

Platform: Mac OS X v10.4.11, Mac OS X Server v10.4.11

System Preferences

Impact: Remote Management and Screen Sharing can be configured to require a password for VNC viewers. The maximum length for VNC viewer passwords is eight characters. The password field can display more than eight characters, implying that the additional characters are used in the password. This update addresses the issue by limiting VNC viewer passwords to eight characters in the user interface.

Platform: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

System Preferences

Impact: Authenticated users may have unexpected remote access to files and directories. The File Sharing pane in the Sharing preference pane does not fully convey the actual access privileges. A user may infer that only the folders listed under 'Shared Folders' are accessible. However, authenticated users may also access their home directories, and administrators may access all disks on the system.

Platform: Mac OS X v10.5 through v10.5.4

Time Machine

Impact: During the Time Machine Backup, several log files are saved to the backup drive with read permission allowed to other users. This may lead to the disclosure of sensitive information.

Platform: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

VideoConference

Impact: A memory corruption issue exists in the VideoConference framework's handling of H.264 encoded media. Videoconferencing with a malicious user may lead to an unexpected application termination or arbitrary code execution

Wiki Server

Impact: The Wiki Server mailing list archive will execute JavaScript code embedded in messages. A remote person may send an email containing JavaScript code to a mailing list hosted on a Wiki server. Viewing the message from the Wiki Server mailing list archive will trigger the execution of the embedded JavaScript code on the system of the person viewing the message.

Platform: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

Apple

http://support.apple.com/kb/HT3137

FrSIRT

http://www.frsirt.com/english/advisories/2008/2584

Suggested Mitigation Steps:

Apply Apple software updates

  • 10.4.x users: Apply Security Update 2008-006
  • 10.5.x users: Apply Mac OS X 10.5.5 Update

Automated

Run Software Update.

Apple menu > Software Update

Manual

Apple Mac OS X 10.5.5 Combo Update :

http://www.apple.com/support/downloads/macosx1055comboupdate.html

Apple Mac OS X Server Combo 10.5.5 :

http://www.apple.com/support/downloads/macosxservercombo1055.html

Apple Security Update 2008-006 Client (Intel) :

http://www.apple.com/support/downloads/securityupdate2008006clientintel.htm

Apple Security Update 2008-006 Client (PPC) :

http://www.apple.com/support/downloads/securityupdate2008006clientppc.html

Apple Security Update 2008-006 Server (PPC) :

http://www.apple.com/support/downloads/securityupdate2008006serverppc.html

Apple Security Update 2008-006 Server (Universal) :

http://www.apple.com/support/downloads/securityupdate2008006serveruniversal.html

Ted Pham
Information Security Office
Carnegie Mellon University

---------------------------------------------
Departmental Computing Group Mailing List
dept-computing-group@lists.andrew.cmu.edu
http://www.cmu.edu/computing/dept-computing
---------------------------------------------

Please contact help+@cs.cmu.edu or call the SCS Help Desk (x8-4231) if you have questions or problems with applying these patches.

Thank you for your attention,

SCS Help Desk