updated 03:30 pm EDT, Fri September 29, 2006
Mac OS X security update
Apple today issued Security Update 2006-006, improving security for Mac OS X 10.3.9 through Mac OS X 10.4.7. The update addresses issues for both Mac OS X Client and Mac OS X Server regarding CFNetwork, Cyrus SASL, the Flash Player plug-in, QuickDraw, and WebKit. Individual fixes apply to CFNetwork; Flash Player; ImageIO; the Mac OS X kernel; LoginWindow; Preferences; QuickDraw Manager; SASL; WebCore; and Workgroup Manager. Apple's newly released Mac OS X 10.4.8 already contains the security fixes in its 2006-006 update, and installs on Mac OS X 10.4 or later, as well as Mac OS X Server 10.4 or later systems. Users can update via the Mac OS X Software Update feature, or by downloading the update from Apple's website.
CFNetwork clients such as Safari may allow unauthenticated SSL sites to appear as authenticated. Connections created using SSL are normally authenticated and encrypted. When encryption is implemented without authentication, malicious sites may be able to pose as trusted sites. In the case of Safari this may lead to the lock icon being displayed when the identity of a remote site cannot be trusted. This update addresses the issue by disallowing anonymous SSL connections by default. Apple offers credit to Adam Bryzak of Queensland University of Technology for reporting the issue.
Adobe Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when handling maliciously-crafted content. The update addresses the issues by incorporating Flash Player 184.108.40.206 on Mac OS X 10.3.9 and Flash Player 220.127.116.11 on Mac OS X 10.4 systems.
By carefully crafting a corrupt JPEG2000 image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. The update addresses the image by performing additional validation of JPEG2000 images. This issue does not affect systems prior to Mac OS X 10.4. Apple offers credit to Tom Saxton of Idle Loop Software Design for reporting the issue.
An error handling mechanism in the kernel, known as Mach exception ports, provides the ability to control programs when certain types of errors are encountered. Malicious local users could use this mechanism to execute arbitrary code in privileged programs if an error is encountered. The update addresses the issue by restricting access to Mach exception ports for privileged programs. Apple offers credit to Dino Dai Zovi of Matasano Security for reporting the issue.
Due to an unchecked error condition, Kerberos tickets may not be properly destroyed after unsuccessfully attempting to log in to a network account via loginwindow. This could result in unauthorized access by other local users to a previous user's Kerberos tickets. The update addresses the issue by clearing the credentials cache after failed logins, and the issue does not affect systems prior to Mac OS X 10.4. Apple offers credit to Patrick Gallagher of Digital Peaks Corporation for reporting the issue.
An error in the handling of Fast User Switching may allow a local user to gain access to the Kerberos tickets of other local users. Fast User Switching has been updated to prevent this situation, and the issue does not affect systems prior to Mac OS X 10.4. Apple offers credit to Ragnar Sundblad of the Royal Institute of Technology, Stockholm, Sweden for reporting the issue.
Service access controls are usable to restrict which users are allowed to log in to a system via loginwindow. A logic error in loginwindow allows network accounts without GUIDs to bypass service access controls. The issue only affects systems that are configured to use service access controls for loginwindow and to allow network accounts to authenticate users without a GUID. The issue is resolved by properly handling service access controls in loginwindow, and does not affect systems prior to Mac OS X 10.4.
Clearing the "Allow user to administer this computer" checkbox in System Preferences may fail to remove the account from the appserveradm or appserverusr groups. These groups allow an account to manage WebObjects applications. The update addresses the issue by ensuring the account is removed from the appropriate groups, and the issue does not affect systems prior to Mac OS X 10.4. Apple offers credit to Phillip Tejada of Fruit Bat Software for reporting the issue.
Certain applications invoke an unsupported QuickDraw operation to display PICT images. By carefully crafting a corrupt PICT image, an attacker can trigger memory corruption in these applications, which may lead to an application crash or arbitrary code execution. The update addresses the issue by preventing the unsupported operation.
An issue in the DIGEST-MD5 negotiation support in Cyrus SASL can lead to a segmentation fault in the IMAP server with a maliciously-crafted realm header. The update addresses the issue through improved handling of realm headers in authentication attempts.
A memory management error in WebKit's handling of certain HTML could allow a malicious website to cause a crash or potentially execute arbitrary code as the user viewing the site. The update addresses the issue by preventing the condition causing the overflow. Apple offers credit to Jens Kutilek of Netzallee for reporting the issue.
Workgroup Manager appears to allow switching authentication type from crypt to ShadowHash passwords in a NetInfo parent, when in actuality it does not. Refreshing the view of an account in a NetInfo parent will properly indicate that crypt is still being used. The update addresses the issue by disallowing administrators from selecting ShadowHash passwords for accounts in a NetInfo parent. Apple offers credit to Chris Pepper of The Rockefeller University for reporting the issue.