About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Industry Watch

10.4.6: Multiple Vulnerabilities

They're rated 'highly critical'. They do not depend on social engineering and they do not require any user interaction. And they exist in Apple's latest 10.4.6.


As validated by Secunia, there are a half dozen recently discovered holes in OS X 'Tiger' 10.4.6 which make it unsafe to surf the web. These holes were discovered by Tom Ferris of Security Protocols and reported to Apple at the beginning of this year. Apple have responded by assuring they will all be fixed 'in the next release' [sic].

As Tom Ferris of Security Protocols writes in his blog: 'there seem to be some problems with the claimed solid as a rock Unix OS'.

'I have been fuzzing a few Apple OS X applications and found some very interesting issues', explains Ferris. 'For example mdimportserver pops up a crash screen almost every few minutes. It really gets in the way when you're trying to break other applications. Safari seems to be worst when it comes to parsing input correctly. Getting Safari to crash in many different spots is trivial, as where Firefox is very tough. I have been researching the AFP (Apple Filing Protocol) and I wrote a very basic fuzzer and it has found some very neat bugs.'

LZWDecodeVector Heap Overflow

http://security-protocols.com/sp-x24-advisory.php

Of the seven holes cited by Ferris, only one was fixed - and without a murmur - in 10.4.6. The misbehaviour of the core level LZWDecodeVector threatens several standard OS X applications: Finder, Preview, QuickTime, and Safari. A POC image has been set up online at the following URL.

http://security-protocols.com/poc/sp-x24.tiff

This hole affects all OS X systems prior to 10.4.6.

BOM ArchiveHelper Heap Overflow

http://security-protocols.com/sp-x25-advisory.php

This hole was reported on 21 February of this year. No fix is yet available.

BOMArchiveHelper, the default archive file handler for 'Tiger', has a heap overflow vulnerability which allows an attacker to cause the application to crash and or to execute arbitrary code on a targeted host. A POC archive has been set up online at the following URL.

http://security-protocols.com/poc/sp-x25.zip

This hole affects all 'Tiger' systems and it has not been patched.

Safari 2.0.3 Multiple Vulnerabilities

http://security-protocols.com/sp-x26-advisory.php

This hole was reported on 6 January of this year. No fix is yet available.

Multiple vulnerabilities exist within Safari 2.0.3 (417.9.2) and all prior versions which cause the application to crash and may allow an attacker to execute arbitrary code. Ferris comments: 'as Ilja once said, it is trivial to get Safari to crash - he is right'.

Three POC pages are available at the following URLs.

http://security-protocols.com/poc/sp-x26-1.html
http://security-protocols.com/poc/sp-x26-2.html
http://security-protocols.com/poc/sp-x26-4.html

This hole affects all versions of Safari and it has not been patched.

ReadBMP Heap Overflow

http://security-protocols.com/sp-x27-advisory.php

This hole has also been reported to Apple. No fix is yet available.

A heap overflow vulnerability exists when processing BMP files which causes applications to crash and may allow an attacker to execute arbitrary code. This hole affects applications such as Preview which use ReadBMP. A POC page has been set up online at the following URL.

http://security-protocols.com/poc/sp-x27.html

This hole affects all versions of OS X and it has not been patched.

CFAllocatorAllocate Heap Overflow

http://security-protocols.com/sp-x28-advisory.php

This hole has also been reported to Apple. No fix is yet available.

A heap overflow vulnerability exists when processing GIF files which causes applications to crash and may allow an attacker to execute arbitrary code. This hole affects applications such as Safari which use CFAllocatorAllocate. A POC page has been set up online at the following URL.

http://security-protocols.com/poc/sp-x28.html

This hole affects all versions of OS X and it has not been patched.

_cg_TIFFSetField Denial of Service

http://security-protocols.com/sp-x29-advisory.php

This hole has also been reported to Apple. No fix is yet available.

The misbehaviour of the core level _cg_TIFFSetField threatens several standard OS X applications: Finder, Preview, QuickTime, and Safari. A POC page has been set up online at the following URL.

http://security-protocols.com/poc/sp-x29.html

This hole affects all versions of OS X and it has not been patched.

PredictorVSetField Heap Overflow

http://security-protocols.com/sp-x30-advisory.php

This hole has also been reported to Apple. No fix is yet available.

The misbehaviour of the core level PredictorVSetField threatens several standard OS X applications: Finder, Preview, QuickTime, and Safari. A POC page has been set up online at the following URL.

http://security-protocols.com/poc/sp-x30.html

Bottom Line

The bottom line? Easy. Do not use OS X online until Apple release patches for these holes. And do not trust Apple until they show they're willing to take security seriously.


Tom Ferris of Security Protocols is an acknowledged security researcher previously employed by eEye Digital Security, Foundstone Corporation, and the United States Department of Defense.

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.