Security Update 2006-004 for Mac OS X released by Apple (PowerPC and Intel)

Apple has released Security Update 2006-004 for Mac OS X in both PowerPC and Intel versions. This update requires Mac OS X 10.4.7 for either PowerPC or Intel, Mac OS X 10.3.9 or Mac OS X 10.3.9 Server.

This is the fourth major standalone security update for Mac OS X released this year.

Download links are as follows:

• Security Update 2006-004 (10.3.9 Client) [29.5MB]
• Security Update 2006-004 (10.3.9 Server) [42.7MB]
• Security Update 2006-004 Mac OS X 10.4.7 Client (Intel) [8.3MB]
• Security Update 2006-004 Mac OS X 10.4.7 Client (PPC) [5.4MB]

Update procedure recommendation First, avoid performing any other operations (in Mac OS X or third-party applications) while the update process is occurring. In addition, before installing this security update, make sure all Apple-installed applications and utilities are in their original locations. Moving one of these applications to a different location on your hard drive can lead to an incomplete update. Also, disconnect any FireWire/USB devices before applying the update (except for your startup drive, if it is FireWire or USB, and your keyboard/mouse), then re-connect the devices one by one (checking for issues created by any particular device) after the update process is complete and the system has restarted.

Problems after applying the update? Please let us know.

Enhancements in this release

Of most interest to general end-users:

• a fix that prevents maliciously crafted Zip archives from causing condition where arbitrary code can be execute. In other words, prior to Security Update 2006-004 you could download a specially crafted file ending in .zip from a Web site or other location, and it could trigger the execution of malicious code.
• a fix that disallows maliciously crafted Canon RAW images from creating a buffer overflow, potentially leading to arbitrary code execution. Prior to Security Update 2006-004, you could download or otherwise receive a Canon RAW file that could allow execution of malicious code on your system.
• similar to the above, a fix that prevents maliciously crafted GIF images from causing an integer overflow, potentially leading to arbitrary code execution.
• new download validation that will catch certain HTML files defined by Safari as "safe" that may actually contain malicious JavaScript code. After applying Security Update 2006-004, these files will not be automatically opened.
• Protection against maliciously crafted HTML documents that can also open the door for arbitrary code execution by accessing deallocated objects.

A full list of enhancements is as follows:

AFP Server

• An issue in the AFP server allows search results to include files and folders for which the user performing the search has no access. This may lead to information disclosure if the names themselves are sensitive information. If the permissions of the items allow it, the contents may also be accessible. This update addresses the issue in Mac OS X v10.3.9 by ensuring that search results only include items for which the user is authorized. For Mac OS X v10.4 systems, the issue was addressed in Mac OS X v10.4.7. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9:
• The AFP server contains an integer overflow that can be triggered by an authenticated user. A malicious user with access to the AFP server may be able to cause a denial of service attack or arbitrary code execution with system privileges. The AFP server is not enabled by default on Mac OS X. This update addresses the issue by performing additional validation. Credit to Dino Dai Zovi of Matasano Security for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.
• On Mac OS X Server, the AFP server supports reconnection of file sharing sessions after a network outage. The storage of reconnect keys is world-readable. It may be possible for an authenticated local user to read the reconnect keys, use them to impersonate another user over AFP, and access files or folders with the privileges of the impersonated user. This update addresses the issue by protecting the reconnect keys with appropriate file system permissions. This issue only affects Mac OS X Server. Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.7.
• An unchecked error condition exists in the AFP server that may lead to a crash. By carefully crafting an invalid AFP request, an attacker may be able to trigger this condition and cause a denial of service. This update addresses the issue by handling the formerly unchecked error condition. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7

Bluetooth

• The security of the Bluetooth Setup Assistant has been improved in this update for Mac OS X v10.4.7. The length of the automatically generated passkey used for pairing has been increased from six characters to eight characters. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7

Bom

• An issue in Bom's compression state handling may cause heap corruption. By carefully crafting a corrupt Zip archive and persuading a victim to open it, an attacker may be able to trigger this condition which could lead to an application crash or arbitrary code execution. Note that Safari will automatically open archives when "Open `safe' files after downloading" is enabled. This update addresses the issue by properly handling such malformed Zip archives. Credit to Tom Ferris of Security-Protocols.com for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.

DHCP

• A stack buffer overflow exists in bootpd's request processing. By carefully crafting a malicious BOOTP request, a remote attacker may be able to trigger the overflow and cause arbitrary code execution with the privileges of the system. Note that bootpd is not enabled by default in Mac OS X, and must be manually configured in order to be enabled. This update addresses the issue by performing additional bounds checking. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.

dyld

• Malicious local system users may specify dynamic linker options that cause output to standard error. This output contains informational content and potentially user-specified content. As a result, privileged applications that parse or reuse standard error may be influenced inappropriately. This update addresses the issue by ignoring the problematic dynamic linker options in privileged applications. Credit to Neil Archibald of Suresec LTD for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.
• An improperly handled condition in the dynamic linker may lead to including dangerous paths when searching for libraries to load into privileged applications. As a result, malicious local users may cause the dynamic linker to load and execute arbitrary code with elevated privileges. This update addresses the issue by properly selecting search paths when executing privileged applications. Credit to Neil Archibald of Suresec LTD for reporting this issue. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7

fetchmail

• Several issues in the fetchmail utility were discovered. The most serious issue could lead to arbitrary code execution when fetching mail from a malicious POP3 mail server. All issues are described at the fetchmail website (fetchmail.berlios.de). This update addresses the issues by updating fetchmail to version 6.3.4. In addition, fetchmail is no longer distributed as a privileged utility. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.

gunzip

• A race condition may allow a malicious local user to modify the permissions of files owned by another user executing gunzip. This issue is only exploitable when executing gunzip on files in directories that are modifiable by other users. This update addresses the issue by properly handling files while decompressing. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.
• A directory traversal vulnerability is present in the command line utility gunzip when it is used with the non-default "-N" option. By carefully crafting a malicious compressed file and persuading a user to open it with "gunzip -N", an attacker may replace or create arbitrary files with the privileges of the victim. This update addresses the issue by properly stripping paths from files when decompressing. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7

Image RAW

• By carefully crafting a corrupt Canon RAW image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of Canon RAW images. This issue does not affect systems prior to Mac OS X v10.4. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7.

ImageIO

• By carefully crafting a corrupt Radiance image, an attacker can trigger an integer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of Radiance images. This issue does not affect systems prior to Mac OS X v10.4. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
• By carefully crafting a corrupt GIF image, an attacker can trigger an undetected memory allocation failure which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of GIF images. This issue does not affect systems prior to Mac OS X v10.4. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7.
• By carefully crafting a corrupt GIF image, an attacker can trigger an integer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of GIF images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Tom Ferris of Security-Protocols.com for reporting this issue. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7

LaunchServices

• Download Validation may erroneously identify certain files containing HTML as "safe". If such a file is downloaded in Safari and Safari's "Open `safe' files after downloading" option is enabled, the HTML document will automatically be opened from a local URI. This would allow any JavaScript code embedded in the document to bypass access restrictions normally imposed on remote content. This update provides additional checks to identify potentially malicious file types so that they are not automatically opened. This issue does not affect systems prior to Mac OS X v10.4. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7

OpenSSH

• Attempting to log in to an OpenSSH server ("Remote Login") using a nonexistent account causes the authentication process to hang. An attacker can exploit this behavior to detect the existence of a particular account. A large number of such attempts may lead to a denial of service. This update addresses the issue by properly handling attempted logins by nonexistent users. This issue does not affect systems prior to Mac OS X v10.4. Credit to Rob Middleton of the Centenary Institute (Sydney, Australia) for reporting this issue. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7

telnet

• When connected to a TELNET server, the client may send the contents of arbitrary environment variables to the server if the server requests them. Some environment variables may contain sensitive information that should not be sent over the network. This update addresses the issue by ensuring that only non-sensitive variables and variables that the user has explicitly requested are are shared with the server. Credit to Gael Delalleau and iDEFENSE for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.

WebKit

• A maliciously-crafted HTML document could cause a previously deallocated object to be accessed. This may lead to an application crash or arbitrary code execution. This update addresses the issue by properly handling such documents. Credit to Jesse Ruderman of Mozilla Corporation for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7

AppKit, ImageIO

• Buffer overflows were discovered in TIFF tag handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By carefully crafting a corrupt TIFF image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of TIFF images. Systems prior to Mac OS X v10.4 are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462). Credit to Tavis Ormandy, Google Security Team for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7./

Feedback? Late-breakers@macfixit.com.

Resources