Mac Security: Update 04212006 &A#JD1Tg!d8

Ocal:

--Tempest In A Teapot?--

MacFixIt today have started a review and discussion of this fairly vague set of vulnerabilities. I am going to post all of today's article in this post as it may not be accessible tomorrow to those who are not MacFixIt members.

In quick summary, crashes of Safari using test files have been reproduced. However, there is no evidence that such a crash could result in the end of any code written to a memory heap.

Therefore, Safari is vulnerable to crashes when opening malformed files, as perhaps are Preview, Finder, and QuickTime. But no evidence of the possibility of an actual exploit, whereby the security of any Mac could be compromised as a result, is evident.

The ACTUAL DANGER, versus mere annoyance, of these vulnerabilities is NOT EVIDENT. Not yet anyway. And, Apple's inaction on these vulnerabilities suggests that this is their finding as well.

===================================

04-24-06

Six potential Mac OS X security flaws -- are they really flaws?

Last week Secunia reported on six potential security flaws "flaws" are actually repeatable crashes -- but we've yet to determine if any cause the opportunity for exploitation.

One of the proof-of-concept files posted to his Security Protocols blog -- labeled under the bug name "Apple OS X BOM ArchiveHelper .zip Heap Overflow" -- results in a crash of Safari when downloading a specially designed .zip file. The crash only occurs if the "Open 'safe' files automatically option" is turned on in the General pane of System Preferences. If this option is turned on, the .zip file is automatically expanded when it is downloaded and causes the Safari crash.

In theory, any heap overflow has the potential to be a security flaw. When a heap overflow occurs, there can (potentially) be an opportunity to write arbitrary code to an unintended destination -- either overwriting data on your system or intentionally placing malicious code.

However, said heap overflow resulting in a crash must result in an opportunity to run malicious code -- and none of the exploits reported by Ferris are accompanied by any proof of malicious end (though these demonstrations might be intentionally withheld.)

The crashes were submitted by Tom to Apple on 2-21-2006. There have been two security updates and one full incremental Mac OS X update since then -- none of which addressed any of these alleged issues.

It is interesting to note, however, that these are the type of crashes Apple routinely addresses in Mac OS X security updates.

Take for example this security hole closure in Mac OS X 10.4.5:

"CVE-ID: CVE-2006-0382

"Impact: A malicious local user can cause a system crash

"Description: A malicious local user may trigger a system crash by invoking an undocumented system call. This update addresses the issue by removing the system call from the kernel. Credit to David Goldsmith of Matasano for reporting this issue."

The fact that Apple has yet to address the crashes, as submitted by Ferris, either indicates that there is not a strong potential for malicious exploitation of these crashes, Apple hasn't deemed the threat as such, or (at least some of) the crashes are by intentional design and will not be addressed.

-- Fortune Magazine, 11-29-05: What's your computer setup today? Frederick Brooks: I happily use a Macintosh. It's not been equalled for ease of use, and I want my computer to be a tool, not a challenge. Frederick Brooks is the author of 'The Mythical Man Month'. He spearheaded the movement to modernize computer software engineering in 1975