Security Update 2006-003 Now Available
Now in Software update:
Further details can be found in the Apple Knowledge Base.
Security Update 2006-002 was issued two months ago, in March.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Update 2006-003
- Thread starter MacRumors
- Start date
- Sort by reaction score
Security Update 2006-003 Now Available
Now in Software update:
Security Update 2006-002 was issued two months ago, in March.
Holy crap!
Almost all the fixes are for critical security holes that could lead to arbitrary code execution.
Planting a trojan on a system running Mac OS X without this security update would be a piece of cake for an attacker with detailed knowledge of all these vulnerabilities. Mail reading, image viewing, Internet surfing or CD file browsing would all be unsafe activities.
Almost all the fixes are for critical security holes that could lead to arbitrary code execution.
Planting a trojan on a system running Mac OS X without this security update would be a piece of cake for an attacker with detailed knowledge of all these vulnerabilities. Mail reading, image viewing, Internet surfing or CD file browsing would all be unsafe activities.
Detailed changes:
AppKit - Characters entered into a secure text field can be read by other applications in the same window session
Under certain circumstances when switching between text input fields, NSSecureTextField may fail to re-enable secure event input. This may allow other applications in the same window session to see some input characters and keyboard events. This update addresses the issue by ensuring secure event input is properly enabled. This issue does not affect systems prior to Mac OS X v10.4.
AppKit, ImageIO - Viewing a maliciously-crafted GIF or TIFF image may lead to arbitrary code execution
The handling of malformed GIF or TIFF image may lead to arbitrary code execution when parsing a maliciously-crafted image. This affects applications that use the ImageIO (Mac OS X v10.4 Tiger) or AppKit (Mac OS X v10.3 Panther) framework to read images. This update addresses the issue by performing additional validation of GIF and TIFF images.
BOM - Expanding an archive may lead to arbitrary code execution
By carefully crafting an archive (such as a Zip archive) containing long path names, an attacker may be able to trigger a heap buffer overflow in BOM. This may result in arbitrary code execution. BOM is used to handle archives in Finder and other applications. This update adresses the issue by properly handling the boundary conditions.
BOM - Expanding a malicious archive may cause arbitrary files to be created or overwritten
An issue in the handling of directory traversal symbolic links encountered in archives may cause BOM to create or overwrite files in arbitrary locations accessible to the user expanding the archive. BOM handles archives on behalf of Finder and other applications. This update addresses the issue by ensuring that files expanded from an archive are not placed outside the destination directory.
CFNetwork - Visiting malicious web sites may lead to arbitrary code execution
An integer overflow in the handling of chunked transfer encoding could lead to arbitrary code execution. CFNetwork is used by Safari and other applications. This update addresses the issue by performing additional validation. The issue does not affect systems prior to Mac OS X v10.4.
ClamAV - Processing maliciously-crafted email messages with ClamAV may lead to arbitrary code execution
The ClamAV virus scanning software has been updated to incorporate security fixes in the latest release. ClamAV was introduced in Mac OS X Server v10.4 for email scanning. The most severe of these issues could lead to arbitrary code execution with the privileges of ClamAV. For more information, see the project web site at http://www.clamav.net.
CoreFoundation - Registration of an untrusted bundle may lead to arbitrary code execution
Under certain circumstances, bundles are implicitly registered by applications or the system. A feature of the bundle API allows dynamic libraries to load and execute when a bundle is registered, even if the client application does not explicitly request it. As a result, arbitrary code may be executed from an untrusted bundle without explicit user interaction. This update addresses the issue by only loading and executing libraries from the bundle at the appropriate time.
CoreFoundation - String conversions to file system representation may lead to arbitrary code execution
An integer underflow during the processing of a boundary condition in CFStringGetFileSystemRepresentation may lead to arbitrary code execution. Applications that use this API or one of the related APIs such as NSFileManager's getFileSystemRepresentation:maxLength:withPath: may trigger the issue and lead to arbitrary code execution. This update adresses the issue by properly handling the boundary conditions.
CoreGraphics - Characters entered into a secure text field can be read by other applications in the same window session
Quartz Event Services provides applications with the ability to observe and alter low-level user input events. Normally, applications cannot intercept events when secure event input is enabled. However, if "Enable access for assistive devices" is on, Quartz Event Services can be used to intercept events even when secure event input is enabled. This update addresses the issue by filtering events when secure event input is enabled. This issue does not affect systems prior to Mac OS X v10.4. Credit to Damien Bobillot for reporting this issue.
Finder - Launching an Internet Location item may lead to arbitrary code execution
Internet Location items are simple URL containers which may reference http://, ftp://, and file:// URLs, as well as a few other URL schemes. These different types of Internet Location items are visually distinct, and meant to be safe to explicitly launch. However, the scheme of the URL may be different than the Internet Location type. As a result, an attacker may be able to convince a user to launch a supposedly benign item (such as a Web Internet Location, http://), with the result that some other URL scheme is actually used. In certain circumstances, this may lead to arbitrary code execution. This update addresses the issues by restricting the URL scheme based on the Internet Location type.
FTPServer - FTP operations by authenticated FTP users may lead to arbitrary code execution
Multiple issues in FTP server path name handling could result in a buffer overflow. A malicious authenticated user may be able to trigger this overflow which may lead to arbitrary code execution with the privileges of the FTP server. This update adresses the issue by properly handling the boundary conditions.
Flash Player - Playing Flash content may lead to arbitrary code execution
Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when specially-crafted files are loaded. Further information is available via the Macromedia web site at http://www.macromedia.com. This update addresses the issue by incorporating Flash Player version 8.0.24.0.
ImageIO - Viewing a maliciously-crafted JPEG image may lead to arbitrary code execution
An integer overflow in the processing of JPEG metadata may result in a heap buffer overflow. By carefully crafting an image with malformed JPEG metadata, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Brent Simmons of NewsGator Technologies, Inc. for reporting this issue.
AppKit - Characters entered into a secure text field can be read by other applications in the same window session
Under certain circumstances when switching between text input fields, NSSecureTextField may fail to re-enable secure event input. This may allow other applications in the same window session to see some input characters and keyboard events. This update addresses the issue by ensuring secure event input is properly enabled. This issue does not affect systems prior to Mac OS X v10.4.
AppKit, ImageIO - Viewing a maliciously-crafted GIF or TIFF image may lead to arbitrary code execution
The handling of malformed GIF or TIFF image may lead to arbitrary code execution when parsing a maliciously-crafted image. This affects applications that use the ImageIO (Mac OS X v10.4 Tiger) or AppKit (Mac OS X v10.3 Panther) framework to read images. This update addresses the issue by performing additional validation of GIF and TIFF images.
BOM - Expanding an archive may lead to arbitrary code execution
By carefully crafting an archive (such as a Zip archive) containing long path names, an attacker may be able to trigger a heap buffer overflow in BOM. This may result in arbitrary code execution. BOM is used to handle archives in Finder and other applications. This update adresses the issue by properly handling the boundary conditions.
BOM - Expanding a malicious archive may cause arbitrary files to be created or overwritten
An issue in the handling of directory traversal symbolic links encountered in archives may cause BOM to create or overwrite files in arbitrary locations accessible to the user expanding the archive. BOM handles archives on behalf of Finder and other applications. This update addresses the issue by ensuring that files expanded from an archive are not placed outside the destination directory.
CFNetwork - Visiting malicious web sites may lead to arbitrary code execution
An integer overflow in the handling of chunked transfer encoding could lead to arbitrary code execution. CFNetwork is used by Safari and other applications. This update addresses the issue by performing additional validation. The issue does not affect systems prior to Mac OS X v10.4.
ClamAV - Processing maliciously-crafted email messages with ClamAV may lead to arbitrary code execution
The ClamAV virus scanning software has been updated to incorporate security fixes in the latest release. ClamAV was introduced in Mac OS X Server v10.4 for email scanning. The most severe of these issues could lead to arbitrary code execution with the privileges of ClamAV. For more information, see the project web site at http://www.clamav.net.
CoreFoundation - Registration of an untrusted bundle may lead to arbitrary code execution
Under certain circumstances, bundles are implicitly registered by applications or the system. A feature of the bundle API allows dynamic libraries to load and execute when a bundle is registered, even if the client application does not explicitly request it. As a result, arbitrary code may be executed from an untrusted bundle without explicit user interaction. This update addresses the issue by only loading and executing libraries from the bundle at the appropriate time.
CoreFoundation - String conversions to file system representation may lead to arbitrary code execution
An integer underflow during the processing of a boundary condition in CFStringGetFileSystemRepresentation may lead to arbitrary code execution. Applications that use this API or one of the related APIs such as NSFileManager's getFileSystemRepresentation:maxLength:withPath: may trigger the issue and lead to arbitrary code execution. This update adresses the issue by properly handling the boundary conditions.
CoreGraphics - Characters entered into a secure text field can be read by other applications in the same window session
Quartz Event Services provides applications with the ability to observe and alter low-level user input events. Normally, applications cannot intercept events when secure event input is enabled. However, if "Enable access for assistive devices" is on, Quartz Event Services can be used to intercept events even when secure event input is enabled. This update addresses the issue by filtering events when secure event input is enabled. This issue does not affect systems prior to Mac OS X v10.4. Credit to Damien Bobillot for reporting this issue.
Finder - Launching an Internet Location item may lead to arbitrary code execution
Internet Location items are simple URL containers which may reference http://, ftp://, and file:// URLs, as well as a few other URL schemes. These different types of Internet Location items are visually distinct, and meant to be safe to explicitly launch. However, the scheme of the URL may be different than the Internet Location type. As a result, an attacker may be able to convince a user to launch a supposedly benign item (such as a Web Internet Location, http://), with the result that some other URL scheme is actually used. In certain circumstances, this may lead to arbitrary code execution. This update addresses the issues by restricting the URL scheme based on the Internet Location type.
FTPServer - FTP operations by authenticated FTP users may lead to arbitrary code execution
Multiple issues in FTP server path name handling could result in a buffer overflow. A malicious authenticated user may be able to trigger this overflow which may lead to arbitrary code execution with the privileges of the FTP server. This update adresses the issue by properly handling the boundary conditions.
Flash Player - Playing Flash content may lead to arbitrary code execution
Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when specially-crafted files are loaded. Further information is available via the Macromedia web site at http://www.macromedia.com. This update addresses the issue by incorporating Flash Player version 8.0.24.0.
ImageIO - Viewing a maliciously-crafted JPEG image may lead to arbitrary code execution
An integer overflow in the processing of JPEG metadata may result in a heap buffer overflow. By carefully crafting an image with malformed JPEG metadata, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Brent Simmons of NewsGator Technologies, Inc. for reporting this issue.
Detailed changes (continued):
Keychain - An application may be able to use Keychain items when the Keychain is locked
When a Keychain is locked, it is not possible for applications to access the Keychain items it contains without first requesting that the Keychain be unlocked. However, an application that has obtained a reference to a Keychain item prior to the Keychain being locked may, in certain circumstances, be able to continue using that Keychain item regardless of whether the Keychain is locked or unlocked. This update addresses the issue by rejecting requests to use Keychain items when the Keychain is locked. Credit to Tobias Hahn of HU Berlin for reporting this issue.
LaunchServices - Viewing a malicious web site may lead to arbitrary code execution
Long file name extensions may prevent Download Validation from correctly determining the application with which an item may be opened. As a result, an attacker may be able to bypass Download Validation and cause Safari to automatically open unsafe content if the "Open `safe' files after downloading" option is enabled and certain applications are not installed. This update addresses the issue through improved checking of the file name extension. This issue does not affect systems prior to Mac OS X v10.4.
libcurl - URL handling in libcurl may lead to arbitrary code execution
The open source HTTP library libcurl contains buffer overflows in URL handling. Applications using curl for URL handling may trigger the issue and lead to arbitrary code execution. This update addresses the issue by incorporating libcurl version 7.15.1. This issue does not affect systems prior to Mac OS X v10.4.
Mail - Viewing a malicious mail message may lead to arbitrary code execution
By preparing a specially-crafted email message with MacMIME encapsulated attachments, an attacker may trigger an integer overflow. This may lead to arbitrary code execution with the privileges of the user running Mail. This issue corrects the issue by performing additional validation of messages.
Mail - Viewing a malicious mail message may lead to arbitrary code execution
The handling of invalid color information in enriched text email messages could cause the allocation and initialization of arbitrary classes. This may lead to arbitrary code execution with the privileges of the user running Mail. This update addresses the issue by properly handling malformed enriched text data.
MySQL Manager - MySQL database may be accessed with an empty password
During the initial setup of a MySQL database server using MySQL Manager, the "New MySQL root password" may be supplied. However, this password is not actually used. As a result, the MySQL root password will remain empty. A local user may then obtain access to the MySQL database with full privileges. This update addresses the issue by ensuring that the entered password is saved. This issue does not affect systems prior to Mac OS X Server v10.4. Credit to Ben Low of the University of New South Wales for reporting this issue.
Preview - Navigating a maliciously-crafted directory hierarchy may lead to arbitrary code execution
When navigating very deep directory hierarchies in Preview, a stack buffer overflow may be trigger. By carefully crafting such a directory hierarchy, it may be possible for an attacker to cause arbitrary code execution if the directories are opened in Preview. This issue does not affect systems prior to Mac OS X v10.4.
QuickDraw - Viewing a maliciously-crafted PICT image may lead to arbitrary code execution
Two issues affect QuickDraw when processing PICT images. Malformed font information may cause a stack buffer overflow, and malformed image data may cause a heap buffer overflow. By carefully crafting a malicious PICT image, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of PICT images. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.
QuickTime Streaming Server - A malformed QuickTime movie can cause QuickTime Streaming Server to crash
A QuickTime movie that has a missing track may cause a null pointer dereference, causing the server process to crash. This causes active client connections to be interrupted. However, the server is restarted automatically. This update addresses the issue by producing an error when malformed movies are encountered.
QuickTime Streaming Server - Maliciously-crafted RTSP requests may lead to crashes or arbitrary code execution
By carefully crafting an RTSP request, an attacker may be able to trigger a buffer overflow during message logging. This may lead to the arbitrary code execution with the privileges of the QuickTime Streaming Server. This update adresses the issue by properly handling the boundary conditions. Credit to the Mu Security research team for reporting this issue.
Ruby - Ruby safe level restrictions may be bypassed
The Ruby scripting language contains a mechanism called "safe levels" that is used to restrict certain operations. This mechanism is most commonly used when running privileged Ruby applications or Ruby network applications. In certain circumstances, an attacker may be able to bypass the restrictions in such applications. Applications that do not rely on safe levels are unaffected. This update addresses the issue by ensuring that safe levels cannot be bypassed.
Safari - Visiting malicious web sites may lead to file manipulation or arbitrary code execution
When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched. This update addresses the issue by not resolving downloaded symbolic links. This issue does not affect systems prior to Mac OS X v10.4.
Keychain - An application may be able to use Keychain items when the Keychain is locked
When a Keychain is locked, it is not possible for applications to access the Keychain items it contains without first requesting that the Keychain be unlocked. However, an application that has obtained a reference to a Keychain item prior to the Keychain being locked may, in certain circumstances, be able to continue using that Keychain item regardless of whether the Keychain is locked or unlocked. This update addresses the issue by rejecting requests to use Keychain items when the Keychain is locked. Credit to Tobias Hahn of HU Berlin for reporting this issue.
LaunchServices - Viewing a malicious web site may lead to arbitrary code execution
Long file name extensions may prevent Download Validation from correctly determining the application with which an item may be opened. As a result, an attacker may be able to bypass Download Validation and cause Safari to automatically open unsafe content if the "Open `safe' files after downloading" option is enabled and certain applications are not installed. This update addresses the issue through improved checking of the file name extension. This issue does not affect systems prior to Mac OS X v10.4.
libcurl - URL handling in libcurl may lead to arbitrary code execution
The open source HTTP library libcurl contains buffer overflows in URL handling. Applications using curl for URL handling may trigger the issue and lead to arbitrary code execution. This update addresses the issue by incorporating libcurl version 7.15.1. This issue does not affect systems prior to Mac OS X v10.4.
Mail - Viewing a malicious mail message may lead to arbitrary code execution
By preparing a specially-crafted email message with MacMIME encapsulated attachments, an attacker may trigger an integer overflow. This may lead to arbitrary code execution with the privileges of the user running Mail. This issue corrects the issue by performing additional validation of messages.
Mail - Viewing a malicious mail message may lead to arbitrary code execution
The handling of invalid color information in enriched text email messages could cause the allocation and initialization of arbitrary classes. This may lead to arbitrary code execution with the privileges of the user running Mail. This update addresses the issue by properly handling malformed enriched text data.
MySQL Manager - MySQL database may be accessed with an empty password
During the initial setup of a MySQL database server using MySQL Manager, the "New MySQL root password" may be supplied. However, this password is not actually used. As a result, the MySQL root password will remain empty. A local user may then obtain access to the MySQL database with full privileges. This update addresses the issue by ensuring that the entered password is saved. This issue does not affect systems prior to Mac OS X Server v10.4. Credit to Ben Low of the University of New South Wales for reporting this issue.
Preview - Navigating a maliciously-crafted directory hierarchy may lead to arbitrary code execution
When navigating very deep directory hierarchies in Preview, a stack buffer overflow may be trigger. By carefully crafting such a directory hierarchy, it may be possible for an attacker to cause arbitrary code execution if the directories are opened in Preview. This issue does not affect systems prior to Mac OS X v10.4.
QuickDraw - Viewing a maliciously-crafted PICT image may lead to arbitrary code execution
Two issues affect QuickDraw when processing PICT images. Malformed font information may cause a stack buffer overflow, and malformed image data may cause a heap buffer overflow. By carefully crafting a malicious PICT image, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of PICT images. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.
QuickTime Streaming Server - A malformed QuickTime movie can cause QuickTime Streaming Server to crash
A QuickTime movie that has a missing track may cause a null pointer dereference, causing the server process to crash. This causes active client connections to be interrupted. However, the server is restarted automatically. This update addresses the issue by producing an error when malformed movies are encountered.
QuickTime Streaming Server - Maliciously-crafted RTSP requests may lead to crashes or arbitrary code execution
By carefully crafting an RTSP request, an attacker may be able to trigger a buffer overflow during message logging. This may lead to the arbitrary code execution with the privileges of the QuickTime Streaming Server. This update adresses the issue by properly handling the boundary conditions. Credit to the Mu Security research team for reporting this issue.
Ruby - Ruby safe level restrictions may be bypassed
The Ruby scripting language contains a mechanism called "safe levels" that is used to restrict certain operations. This mechanism is most commonly used when running privileged Ruby applications or Ruby network applications. In certain circumstances, an attacker may be able to bypass the restrictions in such applications. Applications that do not rely on safe levels are unaffected. This update addresses the issue by ensuring that safe levels cannot be bypassed.
Safari - Visiting malicious web sites may lead to file manipulation or arbitrary code execution
When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched. This update addresses the issue by not resolving downloaded symbolic links. This issue does not affect systems prior to Mac OS X v10.4.
I'm glad they're fixing these "potentials" before they become "actuals," but mostly I'm just dying to know. What is BOM?
I know it's something to do with extracting zips, but why the name BOM?
TIA for what will probably be some Unix trivia
PS, it's cool that the latest Flash Player is bundled right into the Apple update.
I know it's something to do with extracting zips, but why the name BOM?
TIA for what will probably be some Unix trivia
PS, it's cool that the latest Flash Player is bundled right into the Apple update.
gekko513 said:
This is the way it is with almost all OSX Security updates. No one pays attention because the vulnerabilities are rarely exploited, but it goes to show that our OS is not quite as safe as some may think...
at least Apple's finally patching these vulnerabilities. I haven't taken in-depth looks, but I'm guessing we're finally seeing patches for the vulnerabilities that were initially found in January.
Must... resist... urge... to... click... negative!!!Mac Fly (film) said:If someone rates this article as a negitive, I'll kick them
Always remember:
1. No OS is ever perfect.
2. Therefore Mac OS X is not perfect.
3. Therefore Mac OS X is just as bad as Windows.
4. Therefore Windows is better than Mac OS X.
QED
Thought I'd save some time and sum that all up for anyone who needs it
1. No OS is ever perfect.
2. Therefore Mac OS X is not perfect.
3. Therefore Mac OS X is just as bad as Windows.
4. Therefore Windows is better than Mac OS X.
QED
Thought I'd save some time and sum that all up for anyone who needs it
Atlasland said:
Nothing wrong with that. Apple is on the ball and is being proactive in many cases - that's a good thing.
Plus, this is the third security update of 2006 for Apple. How many patches, etc. has MS released for Windows so far?
Mac Fly (film) said:"I'm just dying to know. What is BOM?" It contains gun powder and has a short fuse attached
I think it's the bizarre name to Mac OS X's ZIP file engine (opening/archiving). Someone else might know more. (Maybe it's a UNIX program?)
Ever heard of Google?nagromme said:What is BOM?
I know it's something to do with extracting zips, but why the name BOM?
TIA for what will probably be some Unix trivia
From http://en.wikipedia.org/wiki/BOMArchiveHelper
bill of materials
see man bomnagromme said:I'm glad they're fixing these "potentials" before they become "actuals," but mostly I'm just dying to know. What is BOM?
I know it's something to do with extracting zips, but why the name BOM?
TIA for what will probably be some Unix trivia
PS, it's cool that the latest Flash Player is bundled right into the Apple update.
nagromme said:
I believe BOM is an acronym for Byte Order Mark and the name for a character code placed at the beginning of a data stream. It is used to identify certain things about the data stream, mainly which Unicode type the file uses (UTF-8, UTF-16, or UTF-32). Here's the wikipedia article if you are interested: http://en.wikipedia.org/wiki/Byte_Order_Mark
That may be true, but "Bill of Materials" is the correct answer in this particular case.theorem7 said:
Most software I've been involved with has shipped with what we called a BOM (bill of materials) in a format depending on what we were shipping, most simply a list of components..
Now I know! Even better trivia than I was hoping for
As you were...
As you were...
I haven't yet gone to 10.4.6 and I don't see it either. Time to update!thomasp said:Hmmm - must only be for 10.4.6 users - I'm still running OSX 10.4.5 and the update doesn't exist
nagromme said:Always remember:
1. No OS is ever perfect.
2. Therefore Mac OS X is not perfect.
3. Therefore Mac OS X is just as bad as Windows.
4. Therefore Windows is better than Mac OS X.
QED
Thought I'd save some time and sum that all up for anyone who needs it
Chuckles to himself
I like your humour!For me what makes Apple more secure is that their very proactive in patching any security vulnerabilities before they get out into the wild and become a problem. For this reason I love downloading security updates; it lets me know Apple are dedicated to keeping their OS as secure as possible.
jay
Update to news story
See these pages for manual downloads: