As you may recall, possibly the most serious security
vulnerabilities yet uncovered in Apple's Mac OS X were publicly
reported in mid-May. To Apple's considerable discredit, at least one
of these vulnerabilities may have been privately reported to the
company as early as February. (See below for an overview of these
vulnerabilities.)
Fortunately, during the three week period after these
vulnerabilities were first made public, there were no reported
exploits.
Yesterday, June 7, 2004, Apple issued a set of patches ("Security
Update") which, in combination with previously-issued patches,
appears to fully address these vulnerabilities. All users of Mac OS
X 10.3 ("Panther") and 10.2 ("Jaguar") should install these patches
at their **earliest opportunity**.
In the opinion of John Gruber, who has been reporting on these
security vulnerabilities on his "Daring Fireball" weblog:
>If anything, the coverage has been underplayed. These are serious
>vulnerabilities which could be exploited for serious harm. You could
>reasonably argue that this is the worst security problem in the
>entire history of the Macintosh.
Security Updates available from Apple
--------------------------------------
Since these vulnerabilities were publicized in mid-May, Apple issued
"Security Update 2004-05-24" which addressed several of these
vulnerabilities. (One vulnerability for Panther users was also
addressed in the Mac OS X 10.3.4 update.)
Yesterday, June 7, 2004, Apple issued a new "Security Update
2004-06-07" for Mac OS X, which appears to fully address the
remaining vulnerabilities.
You can view a list of these security updates, with the specific
issues they address, on the "Apple Security Update" page at
<http://docs.info.apple.com/article.html?artnum=61798>.
As John Gruber noted in a follow-up article on his weblog,
following the release of this update
<http://daringfireball.net/2004/06/security_update>:
>Judging by the changes documented in the release notes, this update
>closes all the URI / Launch Services-related vulnerabilities that
>have been publicized in the last month. I've tested the update on
>three Macs, and indeed, it closes every vulnerability I'm aware of.
If you are running Mac OS X 10.3.4 or Mac OS X 10.2.8, you can
install this update in the usual way, by selecting "Software
Update..." from the Apple menu (10.3.4) or by selecting "System
Preferences..." from the Apple menu and then clicking the "Software
Update" icon (both 10.3.4 and 10.2.8).
If you are running an earlier release of Panther or Jaguar, you
will need to upgrade to the latest "dot releases" above in order to
install the latest Security Update. All system software upgrades -
whether under Mac OS X and other operating systems - can potentially
introduce unforeseen problems, so it is highly desirable to have an
up-to-date backup of your startup disk prior to upgrading.
About the vulnerabilities
-------------------------
A brief summary of key vulnerabilities in Mac OS X which are
addressed by Apple's recent Security Updates:
- URLs starting with "disk://" or "disks://" could cause a disk
image file to be both downloaded *and* automatically mounted
on your desktop.
After doing so:
- URLs starting with "help://" could cause Apple's Help Viewer
application to run an arbitrary script from a known location on
that disk image, with all of the privileges of the current user.
- In addition, a script or program on that disk image, when
launched, could register a new protocol
("mymaliciousprotocol://"). It could also change the
registration information for either that new protocol or
an existing protocol to specify which program or
script - including one contained on that just-downloaded
disk image - would be executed to handle that protocol
from then-on.
- URLs starting with "telnet://" could be used to arbitrarily
create new files or overwrite existing files, with the
privileges of the current user.
Background reading
------------------
In addition to the articles covering this topic on John Gruber's
weblog <http://daringfireball.net/archives/> you can find three more
excellent background articles on the "codepoetry" weblog:
"Getting the Security Holes Straight"
<http://www.codepoetry.net/archives/2004/05/25/getting_the_security_holes_straight.php>
"Now We're Getting Silly"
<http://www.codepoetry.net/archives/2004/05/22/now_were_getting_silly.php>
"Help!" [origins of the Help Viewer script execution vulnerability]
<http://www.codepoetry.net/archives/2004/05/19/help.php>
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Tue Jun 8 10:23:44 2004
This archive was generated by hypermail 2.1.8 : Tue Jun 08 2004 - 10:23:45 PDT