Enterprise Software

Patch critical AFS and Apache flaws in Mac OS X and OS X Server

New OS X holes require prompt action.

Apple has released patches to fix some highly critical vulnerabilities in Mac OS X and Mac OS X Server. These software flaws can allow a remote attacker to completely compromise a system.


Apple's security update 61798 lists a number of issues, including two dated May 3, 2004. Reading the Apple notes on these threats wouldn't raise any alarm bells because they talk about vulnerabilities in a vague and calming tone.

However, security firm @Stake, which discovered some of the most serious flaws and initially warned Apple security, says these are highly critical vulnerabilities. @Stake's own security advisory on these flaws paints a dramatic, and probably more realistic, picture of the threats posed by these flaws, saying they allow a remote attacker to "execute arbitrary commands as root."

The most critical threats lie in the AppleFileServer, which contains a stack buffer overflow vulnerability. These security updates also include patches for Apache 2, CoreFoundation, and IPSec as described by Apple:

  • Security Update 2004-05-03 for Mac OS X 10.3.3 "Panther" and Mac OS X 10.3.3 Server.
  • Security Update 2004-05-03 for Mac OS X 10.2.8 "Jaguar" and Mac OS X 10.2.8 Server.
  • AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords [CRITICAL].
  • Apache 2: Fixes CAN-2003-0020, CAN-2004-0113, and CAN-2004-0174 [mostly a DoS threat].
  • CoreFoundation: Fixes CAN-2004-0428 [undisclosed threat].
  • IPSec: Fixes CAN-2004-0155 and CAN-2004-0403 [VPN tunnel man-in-the-middle attacks].
  • Also note that IPSec in Mac OS X is not vulnerable to CAN-2004-0392.

Applicability—Mac OS X and Mac OS X Server

@Stake reports they have proven these exploits on Mac OS X 10.3.3, 10.3.2, and 10.2.8, but states that in general the threat applies to all versions of Mac OS X 10.3.3 and earlier.

The Apache 2 vulnerabilities apply to versions before 2.0.49.

Risk level—Highly critical

The most severe threat is from the AppleFileServer buffer overrun vulnerability.

Mitigating factors

Apple Filing Protocol is the vulnerable portion of AppleFileServer and it is not enabled by default.


Apply the patches or disable Apple Filing Protocol if you don't need it.

For the other vulnerabilities, apply the provided patches or, for Apache 2, upgrade to version 2.0.49.

Final word

The most serious vulnerabilities were reported to Apple by @Stake on March 26, 2004, and announced by @Stake on the day Apple released the patches, May 3, 2004.

The other threats were not credited to @Stake. Apple doesn't list any credit for the Apache 2 vulnerability but credits aaron@vtty.com for informing the vendor of the CoreFoundation problem.

Also watch for...

Another serious vulnerability has recently been discovered in ISS security software. This time it involves CheckPoint VPN products, which have a highly critical vulnerability caused by a boundary error within ISAKMP, resulting in a buffer overflow and opening systems to remote execution of code. CheckPoint has released fixes.

A Bluesnarfing test by The London Times shows that 13 Nokia and five Ericsson cell phones, including the Nokia 6310 and 6310i phones and the Ericsson T610 picture phone, are the least secure. Bluesnarfing is the practice of hacking phones for their activation codes in order to setup spoofed accounts. This can allow GPS tracking of phones or the capture of text messages and contact lists. The Bluetooth-related vulnerability exploited in Bluesnarfing is also in phones used in the U.S. You can find another list of affected phones here.

Patches have been released for OpenBSD versions 3.3, 3.4, and 3.5 to correct critical vulnerabilities (unauthorized information disclosure to remote attackers).

On the privacy front, Google is about to offer free e-mail accounts with advanced search features and 1.0 GB of free storage—a very attractive idea for companies that want to keep viruses far away from their own mail servers. But questions have been raised about the way Google will pay for the service (i.e., by scanning all messages in order to provide unobtrusive targeted ads). News.com is reporting that privacy organizations are challenging this as being in violation of wiretap laws, especially Sec. 631 in California.

Security Tracker reports that there are vulnerabilities in the popular database reporting software Crystal Reports. The vulnerabilities are unspecified at this time but can lead to a remote denial of service and/or a database file compromise.

The Department of Homeland Security has just published "The Incident Response and Reporting Guidelines," a publication covering symptoms and responses for attacks. I couldn't locate a downloadable version but, fear not, the National Institute of Science and Technology (NIST) published a very comprehensive report on exactly the same thing a few months back, and it's in PDF format that you can download.

Editor's Picks

Free Newsletters, In your Inbox