Panther Patches Mac OS X Security Holes

UPDATED: Security researchers now report three vulnerabilities in Mac OS X that are fixed in the Panther update. Security pros blast Apple on skipping a fix for older OS versions.

Security researchers have identified three new vulnerabilities in Apple Computer Inc.s Mac OS X, one of which may allow attackers to execute some arbitrary commands as a root user under some circumstances.

The flaws affect all versions of the operating system through 10.2 and are fixed in release 10.3, also known as Panther, according to Apple.

The first vulnerability is a buffer overrun that allows an attacker to crash the OS X kernel simply by entering a command line argument of a specific length. Once the attack is executed, the machine crashes immediately, without generating any log files or error messages, according to an advisory on the issue released Tuesday by @stake Inc., based in Cambridge, Mass., which discovered both weaknesses. The crashed machine will reboot eventually.


However, an attacker can also use this vulnerability to get the machine to return small amounts of its memory to him. Researchers at @stake said it appears the only thing being returned to the attacker is memory addresses, which arent normally considered to be sensitive information.

Although they were unable to use this flaw to run code on vulnerable machines, the @stake researchers said that it may be possible, given that the weakness lies in the OS X kernel itself.

The second new problem involves the way that the OS handles core files, which are a snapshot of the systems state when a machine crashes. When core files are enabled in OS X, processes owned by root will write a core file to the /cores directory. These files are owned by the root process, which would have read-only access to them. The attacker can also read the contents of the core files created by the root process.

But, because the directory is writable and the names of the files in it are predictable, an attacker could create symbolic links to these files and point them to files elsewhere on the system. In this way, he could essentially overwrite any of the core files. To do this, the attacker would need interactive shell access to the machine, @stake said.

However, the core files setting is disabled by default on OS X, according to Apple, based in Cupertino, Calif.

The third vulnerability involves the fact that OS X allows many applications to be installed with insecure file permissions. This can result in many of the files and directories in these applications being globally writable, @stake said.

Although Apple has provided fixes for these flaws in Panther, the latest version of OS X, it has declined to create any patches for users who plan to stick with earlier versions. Panther has only been available since Oct. 24 and costs $129 for a single-user upgrade. The lack of a fix for existing, still-supported versions of OS X has been a topic of much conversation on security mailing lists this week.

"I think this is definitely a dangerous precedent to set. Imagine the rage if I found some vulnerabilities in Windows XP and Microsofts response was upgrade to Windows 2003," said Thor Larholm, senior security researcher at PivX Solutions LLC, based in Newport Beach, Calif. "I cant believe that Apple would have this as their stated policy, and I hope they very quickly announce it to be an unfortunate slip."

Discuss this in the eWEEK forum.