Patching Tiger: Apple Plugs Buffer Overflows

Apple ships a Mac OS X update to correct a dozen security holes, including a highly critical buffer overflow.

Apple has released a security update to correct a dozen vulnerabilities in its flagship Mac OS X operating system, including a code execution flaw in the Apple File Protocol server.

Security alerts aggregator Secunia has rated the update as "highly critical" and warns that the flaws affect Mac OS X 10.3.9 and Mac OS X 10.4.1 (client and server).

In all, the 12 vulnerabilities could put Mac users at risk of computer hijack, security bypass, exposure of system information, privilege escalation and denial-of-service attacks.

According to an advisory from Apple, the most serious of the flaws was identified in the AFP (Apple File Protocol) server, which handles file sharing in the operating systems LAN architecture.

Apple described the issue as a "buffer overflow in support for legacy clients [that] could permit the running of arbitrary code."

"The Mac OS X AFP Server supports a number of legacy clients. A buffer overflow in support for one of these clients could permit arbitrary code to run. This update modifies the AFP Server to correct this buffer overflow," the company said, noting that the issue does not affect systems prior to Mac OS X 10.4.

A separate bug in the AFP Server is also addressed with a warning from Apple that in certain situations, an ACL may remain attached when a file with POSIX-only permissions is copied.

"The ACL that is left behind could cause confusion, as it will override the POSIX file permissions for the file owner. The ACL does not permit other users to access the file," the company said. This issue does not affect systems prior to Mac OS X 10.4.

The Security Update 2005-006 also adds fixes for multiple known flaws in the PHP programming language. It updates PHP to version 4.3.11 to plug multiple PHP holes that could cause remote denial-of-service attacks or the execution of malicious code.

The update also corrects a potentially serious flaw in the "launchd:" launch daemon, which was added to Tiger to simplify the operating systems program-launching mechanism. The bug could allow local users escalate privileges to gain ownership of arbitrary files.

/zimages/2/28571.gifClick here to read about a widget malware hole that was patched in Tiger.

A third code execution hole is fixed in Apples "vpnd" to address an issue where a local user could gain root privileges if the system is being used as a VPN server. Apple described the vulnerability as a buffer overflow but stressed that it cannot be exploited remotely.

A safety check bypass flaw in LaunchServices is also fixed in Mac Os X 10.4.1. Apple said file extensions and mime types marked as unsafe but not mapped to an Apple UTI could bypass download safety checks.

"This update corrects the query code to correctly identify unsafe file extensions and mime types regardless of the presence of an Apple UTI," the company said.

A weakness in Apples implementation of the Bluetooth wireless protocol is also addressed to provide a fix for insufficient input checking. The update includes a pair of fixes for CoreGraphics and a potential file race condition in Folder Permissions. Mac OS X 10.4 users secure folder permissions to protect the systems cache folder and Dashboard system widgets.

Two other flaws were also fixed in the MCX Client and Apples implementation of the NFS (Network File System) protocol.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest news, reviews and analysis on Apple in the enterprise.