Apple has released patches to fix some highly critical vulnerabilities in Mac OS X and Mac OS X Server. These software flaws can allow a remote attacker to completely compromise a system.
Apple's security update 61798
lists a number of issues, including two dated
However, security firm @Stake, which discovered some of the most serious flaws and initially warned Apple security, says these are highly critical vulnerabilities. @Stake's own security advisory on these flaws paints a dramatic, and probably more realistic, picture of the threats posed by these flaws, saying they allow a remote attacker to "execute arbitrary commands as root."
The most critical threats lie in the AppleFileServer, which contains a stack buffer overflow vulnerability. These security updates also include patches for Apache 2, CoreFoundation, and IPSec as described by Apple:
- Security Update 2004-05-03 for Mac OS X 10.3.3 "Panther" and Mac OS X 10.3.3 Server.
- Security Update 2004-05-03 for Mac OS X 10.2.8 "Jaguar" and Mac OS X 10.2.8 Server.
- AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords [CRITICAL].
- Apache 2: Fixes CAN-2003-0020, CAN-2004-0113, and CAN-2004-0174 [mostly a DoS threat].
- CoreFoundation: Fixes CAN-2004-0428 [undisclosed threat].
- IPSec: Fixes CAN-2004-0155 and CAN-2004-0403 [VPN tunnel man-in-the-middle attacks].
- Also note that IPSec in Mac OS X is not vulnerable to CAN-2004-0392.
Applicability—Mac OS X and Mac OS X Server
@Stake reports they have proven these exploits on Mac OS X 10.3.3, 10.3.2, and 10.2.8, but states that in general the threat applies to all versions of Mac OS X 10.3.3 and earlier.
The Apache 2 vulnerabilities apply to versions before 2.0.49.
Risk level—Highly critical
The most severe threat is from the AppleFileServer buffer overrun vulnerability.
Apple Filing Protocol is the vulnerable portion of AppleFileServer and it is not enabled by default.
Apply the patches or disable Apple Filing Protocol if you don't need it.
For the other vulnerabilities, apply the provided patches or, for Apache 2, upgrade to version 2.0.49.
The most serious vulnerabilities were reported to Apple by @Stake on March 26, 2004, and announced by @Stake on the day Apple released the patches, May 3, 2004.
The other threats were not credited to @Stake. Apple doesn't list any credit for the Apache 2 vulnerability but credits firstname.lastname@example.org for informing the vendor of the CoreFoundation problem.
Also watch for...
Another serious vulnerability has recently been discovered in ISS security software. This time it involves CheckPoint VPN products, which have a highly critical vulnerability caused by a boundary error within ISAKMP, resulting in a buffer overflow and opening systems to remote execution of code. CheckPoint has released fixes.
A Bluesnarfing test by The London Times shows that 13 Nokia and five
Ericsson cell phones, including the Nokia 6310 and 6310i phones and the
Ericsson T610 picture phone, are the least secure. Bluesnarfing is the practice
of hacking phones for their activation codes in order to setup spoofed
accounts. This can allow GPS tracking of phones or the capture of text messages
and contact lists. The Bluetooth-related vulnerability exploited in
Bluesnarfing is also in phones used in the
On the privacy front, Google is about to offer free e-mail
accounts with advanced search features and 1.0 GB of free storage—a very
attractive idea for companies that want to keep viruses far away from their own
mail servers. But questions have been raised about the way Google will pay for
the service (i.e., by scanning all messages in order to provide unobtrusive
targeted ads). News.com is reporting that
privacy organizations are challenging this as being in violation of wiretap
laws, especially Sec. 631 in
Security Tracker reports that there are vulnerabilities in the popular database reporting software Crystal Reports. The vulnerabilities are unspecified at this time but can lead to a remote denial of service and/or a database file compromise.
The Department of