Apple has released patches to fix some highly critical vulnerabilities in Mac OS X and Mac OS X Server. These
software flaws can allow a remote attacker to completely compromise a system.


Apple’s security update 61798
lists a number of issues, including two dated May 3, 2004. Reading the Apple notes on these threats
wouldn’t raise any alarm bells because they talk about vulnerabilities in a
vague and calming tone.

However, security firm @Stake, which discovered some of the most
serious flaws and initially warned Apple security, says these are highly
critical vulnerabilities. @Stake’s own security advisory on these flaws paints a dramatic, and probably
more realistic, picture of the threats posed by these flaws, saying they allow
a remote attacker to “execute arbitrary commands as root.”

The most critical threats lie in the AppleFileServer, which
contains a stack buffer overflow vulnerability. These
security updates also include patches for Apache 2, CoreFoundation, and IPSec
as described by Apple:

  • Security
    Update 2004-05-03 for Mac OS X 10.3.3 “Panther” and Mac OS X
    10.3.3 Server.
  • Security
    Update 2004-05-03 for Mac OS X 10.2.8 “Jaguar” and Mac OS X
    10.2.8 Server.
  • AppleFileServer:
    Fixes CAN-2004-0430 to improve the handling of long passwords [CRITICAL].
  • Apache
    2: Fixes CAN-2003-0020, CAN-2004-0113, and CAN-2004-0174 [mostly a DoS
  • CoreFoundation:
    Fixes CAN-2004-0428 [undisclosed threat].
  • IPSec:
    Fixes CAN-2004-0155 and CAN-2004-0403 [VPN tunnel man-in-the-middle
  • Also
    note that IPSec in Mac OS X is not vulnerable to CAN-2004-0392.

Applicability—Mac OS X and Mac OS X Server

@Stake reports they have proven these exploits on Mac OS X
10.3.3, 10.3.2, and 10.2.8, but states that in general the threat applies to
all versions of Mac OS X 10.3.3 and earlier.

The Apache 2 vulnerabilities apply to versions before

Risk level—Highly critical

The most severe threat is from the AppleFileServer buffer
overrun vulnerability.

Mitigating factors

Apple Filing Protocol is the vulnerable portion of
AppleFileServer and it is not enabled by default.


Apply the patches or disable Apple Filing Protocol if you
don’t need it.

For the other vulnerabilities, apply the provided patches
or, for Apache 2, upgrade to version 2.0.49.

Final word

The most serious vulnerabilities were reported to Apple by
@Stake on March 26, 2004, and announced by @Stake on the day Apple released the
patches, May 3, 2004.

The other threats were not credited to @Stake. Apple doesn’t
list any credit for the Apache 2 vulnerability but credits for
informing the vendor of the CoreFoundation problem.

Also watch for…

Another serious vulnerability has recently been discovered
in ISS security software. This time it involves CheckPoint VPN products, which
have a highly critical vulnerability caused by a boundary error within ISAKMP,
resulting in a buffer overflow and opening systems to remote execution of code.
CheckPoint has released fixes.

A Bluesnarfing test by The London Times shows that 13 Nokia and five
Ericsson cell phones, including the Nokia 6310 and 6310i phones and the
Ericsson T610 picture phone, are the least secure. Bluesnarfing is the practice
of hacking phones for their activation codes in order to setup spoofed
accounts. This can allow GPS tracking of phones or the capture of text messages
and contact lists. The Bluetooth-related vulnerability exploited in
Bluesnarfing is also in phones used in the U.S.
You can find another list of affected phones here.

Patches have been released for OpenBSD versions 3.3, 3.4, and 3.5 to correct critical vulnerabilities (unauthorized
information disclosure to remote attackers).

On the privacy front, Google is about to offer free e-mail
accounts with advanced search features and 1.0 GB of free storage—a very
attractive idea for companies that want to keep viruses far away from their own
mail servers. But questions have been raised about the way Google will pay for
the service (i.e., by scanning all messages in order to provide unobtrusive
targeted ads). is reporting that
privacy organizations are challenging this as being in violation of wiretap
laws, especially Sec. 631 in California.

Security Tracker reports
that there are vulnerabilities in the popular database reporting software
Crystal Reports. The vulnerabilities are unspecified at this time but can lead
to a remote denial of service and/or a database file compromise.

The Department of Homeland
Security has just published “The Incident Response and Reporting
Guidelines,” a publication covering symptoms and responses for attacks. I
couldn’t locate a downloadable version but, fear not, the National Institute of
Science and Technology (NIST) published a very comprehensive report on exactly the same thing a few months back, and it’s in
PDF format that you can download.