ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Mac OS X dirty dozen: Apple plugs critical security holes

By | January 19, 2010, 1:23pm PST

Summary: The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site.

Apple’s first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities.

The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site.

With Security Update 2010-001, Apple also fixes flaws in the Adobe Flash Player plug-in that ships with the operating system.

Here’s the skinny of the vulnerabilities:

  • CoreAudio (CVE-2010-0036) — A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
  • CUPS (CVE-2009-3553) — A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination.
  • Flash Player plug-in (7 vulnerabilities) — Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42.
  • ImageIO (CVE-2009-2285) — A buffer underflow exists in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • Image RAW (CVE-2010-0037) — A buffer overflow exists in Image RAW’s handling of DNG
  • images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
  • OpenSSL (CVE-2009-3555) — A man-in-the-middle vulnerability exists in the SSL and TLS protocols. Further information is available here. A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure. The issue does not affect services using Secure Transport as it does not support renegotiation.

The update is being distributed via Apple’s Software Update mechanism.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple Mac OS, Apple Macintosh, Vulnerability, Apple Inc., Apple Mac OS X, Arbitrary Code Execution, Plug-in, Application Termination, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
99
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Mac OS X dirty dozen: Apple plugs critical security holes
efsane Updated - 8th Apr 2011
Great! !! thanks for sharing this information to us!
sesli sohbet sesli chat
View in thread
0 Votes
+ -
12 Serious OS X holes, and one IE bug gets top billing?
xuniL_z 19th Jan 2010
Could zdnet make their agenda any more obvious?
0 Votes
+ -
Could it have something to do...
gfeier 19th Jan 2010
...with patching the holes BEFORE they're exploited?
0 Votes
+ -
Prove that none of these gaping holes have been exploited.
NonZealot 19th Jan 2010
You wouldn't have written your sentence if you didn't have proof to support your claim, right?
0 Votes
+ -
Argumentum ad ignorantiam.
msalzberg 19th Jan 2010
Look it up, if you're able.
0 Votes
+ -
Works both ways though.
jdbukis@... 19th Jan 2010
Equally applies to people that claim that these security flaws have not been exploited just because its not been proven they have.
0 Votes
+ -
The fact that there is no exploit code out for them..
AzuMao Updated - 19th Jan 2010
..and they are already patched.. proves it beyond a reasonable doubt.

If you want 100% proof, you'll have to solve the Munchhausen-Trilemma, because until then you can't even prove you exist.

edit:
Just to clarify, I meant to yourself. Even if you do solve it you still can't prove it to someone else absolutely, short of them being omniscient.
0 Votes
+ -
Easy proof!
gfeier 19th Jan 2010
If they had been ZDNet would surely have reported it. Q.E.D. - but I like the previous answer better.
0 Votes
+ -
So ZDNet is aware of all hacks all over the world?
NonZealot 19th Jan 2010
Of course not, that would be a silly defense to a weak argument.

In fact, only the unsuccesful hacks get detected. The rest, don't. happy

So, you were the only one who made a claim that there weren't any exploits using these gaping vulnerabilities. Please back it up or take it back. Thanks!
0 Votes
+ -
On a scale from 1 to 10 ROTFLMAO
Intellihence 19th Jan 2010
I give you an absolute 10 for the big laughs. You are all over the place.
You are hilarious. Get over yourself & move on.
0 Votes
+ -
That's weird..
AzuMao 19th Jan 2010
..because I could have sworn the attack on IE that
xuniL_z referred to was successful.
0 Votes
+ -
As much as i usually completely disagree with things NZ posts
Pete "athynz" Athens 20th Jan 2010
- and I usually do disagree with him - this time I feel he has a point. There is NOTHING in this article that claims that these vulnerabilities have not been exploited - or no claims that they have other than from the testing that revealed these vulnerabilities. So far all he's gotten is insults... I'd like to see some proof either for or against his argument so this can be laid to rest. Have these vulnerabilities been exploited yes or no and is there a linkable source to verify either way?
0 Votes
+ -
But he's the one who made the claim in the first place
Wintel BSOD 21st Jan 2010
There is NOTHING in this article that claims that these vulnerabilities have not been exploited

So it's up to him to tell us what they are.

- or no claims that they have other than from the testing that revealed these vulnerabilities.

Well, has there been any proof, otherwise? Has anyone in any of the Mac forums encountered these vulnerabilities in the wild?

Tell us.

So far all he's gotten is insults...

Well that's par for the course. For someone claiming to be a "NonZealot" he sure doesn't act like one.

I'd like to see some proof either for or against his argument so this can be laid to rest.

Why don't you ask Apple? Or go to one of their forums and report back to us.

Have these vulnerabilities been exploited yes or no and is there a linkable source to verify either way?

Well the same claims have been made against Linux too. Only now "bugs" are called "security vulnerabilities" by the M$ rabid fan club. Makes them feel better with their inferiority complex.
0 Votes
+ -
You didn't look up "argumentum ad ignorantiam" did you?
macgroover 20th Jan 2010
otherwise you wouldn't go on repeating it.

(Teenagers obviously have too much time on their hands).
0 Votes
+ -
Prove to what level?
AzuMao 19th Jan 2010
If you mean absolute, you can't even prove that he
wrote that sentence.

If you just mean beyond reasonable doubt..
they were fixed before any exploit code came out,
unlike the IE vulnerability.
0 Votes
+ -
100 undisclosed windows vulnerabilities being exploited
Richard Flude Updated - 19th Jan 2010
Prove that they aren't!

A ridiculous proposition:-)
0 Votes
+ -
Just google...
samwise51@... 20th Jan 2010
plenty of information at

http://packetstormsecurity.org/

http://www.metasploit.com/

http://www.securityfocus.com/
0 Votes
+ -
Prove that there isn't a teapot on Pluto
macgroover 20th Jan 2010
Requiring proof for a negative assertion is a well-know fallacy.

(but requiring you to prove that these holes are 'gaping' is not. )
0 Votes
+ -
That or..
AzuMao 19th Jan 2010
..the fact that Flash, Java, etc, are not OS X.


Or maybe both.
0 Votes
+ -
12 bugs in Flash/Java fixed before they are exploited and a Serious hole in
AzuMao 19th Jan 2010
IE that gets dozens of big companies hacked before
it is patched gets top billing.. yep.
0 Votes
+ -
Are you suggesting that their is bias here?
webmaster@... 20th Jan 2010
Silly little fanboy...
0 Votes
+ -
Agreed
Ktroje 21st Jan 2010
Yeah, they, although most Mac enthusiasts (the ones I read) like to
cover Windows M$ fails, love to find dirt on a Mac.

They obviously forget Windows has nightly builds, patching holes left
and right seemingly every 12 hours.

Macs? I check for updates every day, hoping there's something to
update. It's funny; PC people click install without thinking about it, it's
habitual to them. Mac people, or at least the 200 some I know, take
the time to read what each update does, and it ultimately excited when
there's something new to update. For us, it means a faster, leaner
kitty. For PCs, slower, and yet another problem they were unaware of.
0 Votes
+ -
Sounds terrible!
NonZealot 19th Jan 2010
Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.

Why is Apple executing code in my audio files? Keep your code out of my audio files! Wow, Apple has no clue when it comes to security.

Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site.

So simply viewing a web site could lead to an attacker running arbitrary code on my machine? What's the name for that again? Drive-by? Yeah, thought so.

Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

As if it wasn't enough that Apple is executing code in audio files, now it turns out they are executing code in pictures too? No wonder OS X always falls first at PWN2OWN contests.

Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.

Wow, it seems that looking at your Mac sideways may lead to arbitrary code execution. Hasn't anyone at Apple heard about code reviews? This is brutal. No, this is inexcusable.
0 Votes
+ -
Zero day sounds terrible! n/t
n0neXn0ne Updated - 19th Jan 2010

0 Votes
+ -
Zealot, get upstairs right now!
Info-Dave 19th Jan 2010
Your Mom's calling you to dinner.
0 Votes
+ -
Ya seriously, because Apple made Flash, and Flash doesn't
AzuMao 19th Jan 2010
affect Windows systems, right? Right. Absolutely
inexcusable on Apple's part.
0 Votes
+ -
Please don't feed the troll (nt)
Fred Fredrickson 19th Jan 2010
.
0 Votes
+ -
So, you agree that the other vulnerabilities are Apple's fault
markbn 19th Jan 2010
except the one related to Flash? Good.
0 Votes
+ -
Ya, they definitely made Java and all those other vulnerable
AzuMao 20th Jan 2010
products. Which don't run on Windows computers,
certainly. Yes, agreed 100%.
0 Votes
+ -
Core Audio, Image RAW, ImageIO, etc.
markbn 24th Jan 2010
that had vulnerabilities were the ones
**implemented** by APPLE. How come is __not__
their fault?

I agree with what you said above: "Absolutely
inexcusable on Apple's part."
0 Votes
+ -
Apple decided to pre-install Flash in their OS on their machines
de-void-21165590650301806002836337787023 20th Jan 2010
Therefore, they have to be accountable for the vulns discovered in said software.

Microsoft doesn't ship Flash in it's OS and so doesn't (even though most ABM'ers around here seem to hold MS responsible for all of Adobe's software's flaws).
0 Votes
+ -
Older Versions of Windows Included Flash
PMC-CON 20th Jan 2010
Even XP I think.
0 Votes
+ -
Umm, no
baileysc 20th Jan 2010
Earlier versions included Java (which is no longer included), but not Flash. Many OEMs add Flash but it has never been in the OS install.
0 Votes
+ -
You're funny
Michael Alan Goff 20th Jan 2010
http://www.infopackets.com/news/business/micros
oft/2010/20100114_update_adobe_flash_immediatel
y_says_microsoft.htm

It's rare that Microsoft would cite issues
affecting the software of another company, but
since Adobe's Flash Player originally shipped
with Windows XP, apparently the Redmond-based
firm feels it owes something to its legion of
XP hangers-on.

"The Adobe Flash Player 6 was provided with
Windows XP and contains multiple
vulnerabilities that could allow remote code
execution if a user views a specially crafted
Web page," Microsoft announced in its Security
Advisory yesterday. "Adobe has addressed these
vulnerabilities in newer versions of Adobe
Flash Player. Microsoft recommends that users
of Windows XP with Adobe Flash Player 6
installed update to the most current version of
Flash Player available from Adobe."
0 Votes
+ -
MS does (according to Secunia, which until very recently..
AzuMao 21st Jan 2010
..was the favorite site for NBMers to cite.)

Also, just FYI (not nitpicking), here's the right way to use apostrophes. ^^
0 Votes
+ -
Great link!
lehnerus2000 Updated - 21st Jan 2010
I always have trouble with "its".

Reminds me of the scene in "Life of Brian", where the centurion is giving Brian Latin lessons.

lehnerus2000
0 Votes
+ -
You can't be serious?
Richard Flude 19th Jan 2010
"As if it wasn't enough that Apple is executing code in audio files, now it
turns out they are executing code in pictures too?"

These sound like buffer overflows.
0 Votes
+ -
Which is precisely ...
de-void-21165590650301806002836337787023 20th Jan 2010
... how those vulns were described, no?
0 Votes
+ -
And how about that SSL vulnerability?
msalzberg Updated - 19th Jan 2010
Oh, wait, Microsoft's affected by the same vulnerability, and they
haven't patched it yet!

http://www.computerworld.com/s/article/9146198/Apple_patches_1
2_Mac_bugs_in_Flash_SSL

Wonder why you didn't mention that?
0 Votes
+ -
But Microsoft don't need to patch their stuff.
AzuMao 20th Jan 2010
Because nobody in their right mind uses it
anyways.
0 Votes
+ -
No, Cisco and Microsoft haven't patched it yet
baileysc 20th Jan 2010
Maybe because the bug isn't actually that severe (see http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1373678,00.html).

If you examine the bug you'll find that it effects an extremely small percentage of users.

It is just like Apple to patch a bug that doesn't actually affect most of their users so that they can milk some good PR from it. Also, at least when Microsoft does patch the OS the will release a patch for WinXP as well. Apple doesn't support their OSX 10.4 (released in 2005) and never plans to provide a patch for this OS.

Of course none of this will matter until Cisco patches their few thousand devices so Microsoft and Apple patches for the SSL vulnerability are pretty meaningless.

There are quite a few vulnerabilities in both the Mac and Windows that really should get a higher priority than this one. Unfortunately Apple has always prioritized fixes based on the PR it will generate rather than how it will actually benefit the OS and Microsoft sadly is starting to adopting this same philosophy (which is why Windows 7 out of the box is less secure than Vista).
0 Votes
+ -
Not that severe..
AzuMao 20th Jan 2010
..since only 33 big companies got owned by it
overnight. Okay. What is severe then?

Oops, that's the other unpatched
vulnerability, my bad. Microsoft really should get
to fixing them, they're starting to pile up.
0 Votes
+ -
At least Apple sandboxes their browser
NonZealot 19th Jan 2010
Oh... wait... they don't. OS X is the only modern OS with no mechanism to sandbox the #1 attack vector on a desktop computer. Yikes!!!
0 Votes
+ -
amazing
bannedfromzdnetagain 19th Jan 2010
amazing work as (almost) always. keep it up! but you need to put that
new introduced sarcasm icon in your post otherwise some newbees here
at zdnet might think you are serious.
0 Votes
+ -
I'm not?
NonZealot Updated - 19th Jan 2010
some newbees here at zdnet might think you are serious

OS X runs Safari with fewer privileges that the current user by default, thus protecting not only the system from drive-bys but also the user's precious personal files? Links please! And no, I'm not joking about demanding proof.
0 Votes
+ -
Back atcha Zealot
Info-Dave Updated - 19th Jan 2010
Give us some links where OS X and/or Safari have been exploited in the
wild. Everything is vulnerable, but not much has been exploited. In fact,
your swiss cheese Microsoft world is far and away the most exploited.
Blame it on whatever you want, but you are the one with problems.

Answer quick, bedtime in 15 minutes.
0 Votes
+ -
No
AzuMao 19th Jan 2010
Any vulnerability related to OSX (even in third
party applications) means OSX users got hacked,
even if it is fixed before any exploit code
comes out.

Where as when dozens of huge companies get
screwed over by Microsoft's products because
Microsoft refused to provide patches even after
exploit code was released, it is their fault not
Microsoft's.

That's how it works in his world.

If you can't learn to live with that, don't read
his posts, they will only confuse you.
0 Votes
+ -
I have to ask this...
Rick_K 20th Jan 2010
When the Windows Zealots. and other known Anti-Apple trolls spread
their normal F.U.D., lies and other dishonest statements. Why bother? It
is not like they have any facts, just the PR material sent to them by
their Gods in Redmond. I actually feel bad for these misguided losers.
They are told to troll any available message board, and spread the word
according to the Lord Ballmer. It is not like they actually think for
themselves. Look at the trolls that usually post first on any Apple
related article. I doubt they have even seen a Mac up close. The big
headline was Internet Explorer is unsafe, but they blame everyone but
Microsoft. There is no golden software; nothing written by man, is
capable of being perfect. Computers are dumb, as they will follow
instructions no matter the outcome. The OS war is something started
by Microsoft, as a way to ridicule those that choose to not follow their
given instructions. Windows 7 is (By Microsoft's claims) the most secure
OS on the planet, yet i have seen two Windows 7 computers that were
infected by a number of viruses. I know the computers were infected
when I got emails with the virus in them sent to me. I believe it is the
W32/Autorun-ATC. But you have to remember it is not Microsoft's fault
for the OS flaws. It is the end users, and those nasty virus authors to
blame. Now if there is a potential virus for OS X then it is Apple's fault,
and Apples fault alone. This is the word from the Lord Ballmer, so it
must be true.
0 Votes
+ -
Because..
AzuMao 20th Jan 2010
..debate is good for the brain. And fun.
Isn't that enough?
0 Votes
+ -
what exactly did you have to ask?
*Gman* 20th Jan 2010
"When the Windows Zealots. and other known Anti-Apple trolls..."
So is everyone who doesn't use Apple products a troll? really?

"It is not like they have any facts, just the PR material sent to them by their Gods in Redmond. I actually feel bad for these misguided losers"

This is not FUD? I know this doesn't look exactly like you typed it, I had to remove some extra carriage returns. I guess Apples don't format text for you. What PR material comes to me from Redmond?

Fact: I have used MS products for over 20 years with no complaints.

Fact: I manage 75 Windows computers and 12 Macs. I don't see any difference in the number of problems they each have.

How do you know whether or not I am a loser. I tend to disagree with that.

"They are told to troll any available message board, and spread the word
according to the Lord Ballmer"

Don't know who Ballmer is and don't care. How do you know this person? Why do you care?

"It is not like they actually think for
themselves"

Who do you suggest does my thinking for me?

"I doubt they have even seen a Mac up close"

Actually, there is one waiting beside my desk to be repaired right now.

"The OS war is something started by Microsoft, as a way to ridicule those that choose to not follow their given instructions"

What exactly would those instructions be?

"yet i have seen two Windows 7 computers that were infected by a number of viruses. I know the computers were infected when I got emails with the virus in them sent to me. I believe it is the W32/Autorun-ATC..."

So did you see these infected computers or did you get infected emails from them? How did you know they came from different computers? They both had the same virus? Why aren't you sure what the virus was? Is 2 computers really a legitimate sample of all of the Windows computers in the world? Are you just making this up?

"This is the word from the Lord Ballmer, so it must be true."

Again with the Ballmer thing. Who is this and why do you keep quoting him?

Just curious.

Thank you for clearing all that up for me though.
0 Votes
+ -
Formatting Flaws Because You Use Safari
PMC-CON 20th Jan 2010
So, why can't Apple code a browser that can use a text box correctly?

Just asking.
0 Votes
+ -
RE: Mac OS X dirty dozen: Apple plugs critical security holes
efsane Updated - 8th Apr 2011
Great! !! thanks for sharing this information to us!
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix