The Security Side of the Mac OS X 10.5.8 Update
Apple has just now updated its Mac OS X operating system with version 10.5.8, an update that is meant to address the OS’s stability, compatibility and safety. The update, which applies to Airport, Bluetooth, Mac OS X 10.5, Safari 4, iCal 3.x and MobileMe iDisk comes with quite a long list of fixes and enhancements – if you want to check them out, a detailed article is available here. In this article we will focus on the security aspect of the Mac OS X 10.5.8 update.
At the bottom of the “What’s included in this update” list, Apple mentions that Mac OS X 10.5.8 comes with the “latest security fixes.” These refer to a total of 18 vulnerabilities affecting Apple’s products; some of the vulnerabilities are quite nasty, allowing a person with malicious intent that successfully exploits them to perform remote code execution on the targeted machine.
It goes without saying (but I’ll say it nonetheless) that if you want to stay safe and protected you should update your Leopard to Mac OS X 10.5.8. And to spark things off, here is the detailed list of vulnerabilities that Mac OS X 10.5.8 addresses, as provided by Apple (just the impact and the description, to keep things simple):
bzip2
Impact: Decompressing maliciously crafted data may lead to an unexpected application termination
Description: An out-of-bounds memory access exists in bzip2. Opening a maliciously crafted compressed file may lead to an unexpected application termination. This update addresses the issue by updating bzip2 to version 1.0.5. Further information is available via the bzip2 web site at http://bzip.org/
CFNetwork
Impact: A maliciously crafted website may control the displayed website URL in a certificate warning
Description: When Safari reaches a website via a 302 redirection and a certificate warning is displayed, the warning will contain the original website URL instead of the current website URL. This may allow a maliciously crafted website that is reached via an open redirector on a user-trusted website to control the displayed website URL in a certificate warning. This issue was addressed by returning the correct URL in the underlying CFNetwork layer. This issue does not affect systems prior to Mac OS X v10.5.
ColorSync
Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ColorSync profiles.
CoreTypes
Impact: Users are not warned before opening certain potentially unsafe content types
Description: This update extends the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious JavaScript payload. This update improves the system's ability to notify users before handling content types used by Safari.
Dock
Impact: A person with physical access to a locked system may use four-finger Multi-Touch gestures
Description: The screen saver does not block four-finger Multi-Touch gestures, which may allow a person with physical access to a locked system to manage applications or use Expose. This update addresses the issue by properly blocking Multi-Touch gestures when the screen saver is running. This issue only affects systems with a Multi-Touch trackpad.
Image RAW
Impact: Viewing a maliciously crafted Canon RAW image may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of Canon RAW images. Viewing a maliciously crafted Canon RAW image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. For Mac OS X v10.4 systems, this issue is already addressed with Digital Camera RAW Compatibility Update 2.6
ImageIO
Impact: Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by updating OpenEXR to version 1.6.1.
ImageIO
Impact: Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of OpenEXR images.
ImageIO
Impact: Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution
Description: Multiple integer overflows exist in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking.
ImageIO
Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in ImageIO's handling of EXIF metadata. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5.
ImageIO
Impact: Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized pointer issue exists in the handling of PNG images. Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PNG images.
Kernel
Impact: A local user may obtain system privileges
Description: An implementation issue exists in the kernel's handling of fcntl system calls. A local user may overwrite kernel memory and execute arbitrary code with system privileges. This update addresses the issue through improved handling of fcntl system calls.
launchd
Impact: Opening many connections to an inetd-based launchd service may lead to a denial of service
Description: Opening many connections to an inetd-based launchd service may cause launchd to stop servicing incoming connections to that service until the next system restart. This update addresses the issue through improved error handling.
Login Window
Impact: A format string issue in Login Window may lead to an unexpected application termination or arbitrary code execution
Description: A format string issue in Login Window's handling of application names may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of application names.
MobileMe
Impact: Signing out of MobileMe does not remove all credentials
Description: A logic issue exists in the MobileMe preference pane. Signing out of the preference pane does not delete all credentials. A person with access to the local user account may continue to access any other system associated with the MobileMe account which had previously been signed in for that local account. This update addresses the issue by deleting all the credentials on sign out.
Networking
Impact: Receiving a maliciously crafted AppleTalk response packet may lead to arbitrary code execution with system privileges or an unexpected system shutdown
Description: A buffer overflow exists in the kernel's handling of AppleTalk response packets. Receiving a maliciously crafted AppleTalk response packet may lead to arbitrary code execution with system privileges or an unexpected system shutdown. This update addresses the issue through improved validation of AppleTalk response packets.
Networking
Impact: A local user may cause an unexpected system shutdown
Description: A synchronization issue exists in the handling of file descriptor sharing over local sockets. By sending messages containing file descriptors to a socket with no receiver, a local user may cause an unexpected system shutdown. This update addresses the issue through improved handling of file descriptor sharing.
XQuery
Impact: Processing maliciously crafted XML content may lead to arbitrary code execution
Description: A buffer overflow exists in the handling of character classes in regular expressions in the Perl Compatible Regular Expressions (PCRE) library used by XQuery. This may allow a remote attacker to execute arbitrary code via a regular expression containing a character class with a large number of characters with Unicode code points greater than 255. This update addresses the issue by updating PCRE to version 7.6.
If you would like to get Mac OS X 10.5.8, a download location is available here.
Alternatively you might want to get the update via Software Update. In this regard you need only select “Software Update” from the “Apple” menu. Please note that you should not interrupt the update process after it is initiated.
At the bottom of the “What’s included in this update” list, Apple mentions that Mac OS X 10.5.8 comes with the “latest security fixes.” These refer to a total of 18 vulnerabilities affecting Apple’s products; some of the vulnerabilities are quite nasty, allowing a person with malicious intent that successfully exploits them to perform remote code execution on the targeted machine.
It goes without saying (but I’ll say it nonetheless) that if you want to stay safe and protected you should update your Leopard to Mac OS X 10.5.8. And to spark things off, here is the detailed list of vulnerabilities that Mac OS X 10.5.8 addresses, as provided by Apple (just the impact and the description, to keep things simple):
bzip2
Impact: Decompressing maliciously crafted data may lead to an unexpected application termination
Description: An out-of-bounds memory access exists in bzip2. Opening a maliciously crafted compressed file may lead to an unexpected application termination. This update addresses the issue by updating bzip2 to version 1.0.5. Further information is available via the bzip2 web site at http://bzip.org/
CFNetwork
Impact: A maliciously crafted website may control the displayed website URL in a certificate warning
Description: When Safari reaches a website via a 302 redirection and a certificate warning is displayed, the warning will contain the original website URL instead of the current website URL. This may allow a maliciously crafted website that is reached via an open redirector on a user-trusted website to control the displayed website URL in a certificate warning. This issue was addressed by returning the correct URL in the underlying CFNetwork layer. This issue does not affect systems prior to Mac OS X v10.5.
ColorSync
Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ColorSync profiles.
CoreTypes
Impact: Users are not warned before opening certain potentially unsafe content types
Description: This update extends the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious JavaScript payload. This update improves the system's ability to notify users before handling content types used by Safari.
Dock
Impact: A person with physical access to a locked system may use four-finger Multi-Touch gestures
Description: The screen saver does not block four-finger Multi-Touch gestures, which may allow a person with physical access to a locked system to manage applications or use Expose. This update addresses the issue by properly blocking Multi-Touch gestures when the screen saver is running. This issue only affects systems with a Multi-Touch trackpad.
Image RAW
Impact: Viewing a maliciously crafted Canon RAW image may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of Canon RAW images. Viewing a maliciously crafted Canon RAW image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. For Mac OS X v10.4 systems, this issue is already addressed with Digital Camera RAW Compatibility Update 2.6
ImageIO
Impact: Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by updating OpenEXR to version 1.6.1.
ImageIO
Impact: Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of OpenEXR images.
ImageIO
Impact: Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution
Description: Multiple integer overflows exist in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking.
ImageIO
Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in ImageIO's handling of EXIF metadata. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5.
ImageIO
Impact: Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized pointer issue exists in the handling of PNG images. Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PNG images.
Kernel
Impact: A local user may obtain system privileges
Description: An implementation issue exists in the kernel's handling of fcntl system calls. A local user may overwrite kernel memory and execute arbitrary code with system privileges. This update addresses the issue through improved handling of fcntl system calls.
launchd
Impact: Opening many connections to an inetd-based launchd service may lead to a denial of service
Description: Opening many connections to an inetd-based launchd service may cause launchd to stop servicing incoming connections to that service until the next system restart. This update addresses the issue through improved error handling.
Login Window
Impact: A format string issue in Login Window may lead to an unexpected application termination or arbitrary code execution
Description: A format string issue in Login Window's handling of application names may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of application names.
MobileMe
Impact: Signing out of MobileMe does not remove all credentials
Description: A logic issue exists in the MobileMe preference pane. Signing out of the preference pane does not delete all credentials. A person with access to the local user account may continue to access any other system associated with the MobileMe account which had previously been signed in for that local account. This update addresses the issue by deleting all the credentials on sign out.
Networking
Impact: Receiving a maliciously crafted AppleTalk response packet may lead to arbitrary code execution with system privileges or an unexpected system shutdown
Description: A buffer overflow exists in the kernel's handling of AppleTalk response packets. Receiving a maliciously crafted AppleTalk response packet may lead to arbitrary code execution with system privileges or an unexpected system shutdown. This update addresses the issue through improved validation of AppleTalk response packets.
Networking
Impact: A local user may cause an unexpected system shutdown
Description: A synchronization issue exists in the handling of file descriptor sharing over local sockets. By sending messages containing file descriptors to a socket with no receiver, a local user may cause an unexpected system shutdown. This update addresses the issue through improved handling of file descriptor sharing.
XQuery
Impact: Processing maliciously crafted XML content may lead to arbitrary code execution
Description: A buffer overflow exists in the handling of character classes in regular expressions in the Perl Compatible Regular Expressions (PCRE) library used by XQuery. This may allow a remote attacker to execute arbitrary code via a regular expression containing a character class with a large number of characters with Unicode code points greater than 255. This update addresses the issue by updating PCRE to version 7.6.
If you would like to get Mac OS X 10.5.8, a download location is available here.
Alternatively you might want to get the update via Software Update. In this regard you need only select “Software Update” from the “Apple” menu. Please note that you should not interrupt the update process after it is initiated.
