ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Mac OS X mega patch covers 58 security vulnerabilities

By | November 9, 2009, 2:17pm PST

Summary: The most serious of the flaws could allow a remote attacker to gain complete control of an unpatched system.

Apple has dropped another mega-patch to cover a total of 58 documented vulnerabilities affecting the Mac OS X ecosystem.

The majority of the flaws could allow a remote attacker to gain complete control of an unpatched system, meaning that this update carries an “extremely critical rating.”

It includes patches for open-source components like Apache and PHP and security holes in the QuickTime media player.


Here’s a glimpse of some of the more serious issues covered in the Security Update 2009-006/Mac OS X v10.6.2 patch bundle:

  • AFP Client — Multiple memory corruption issues exist in AFP Client. Connecting to a malicious AFP Server may cause an unexpected system termination or arbitrary code execution with system privileges.
  • Apache — Apache is updated to version 2.2.13 to address several vulnerabilities, the most serious of which may lead to privilege escalation.  A separate patch corrects a flaw that allows an attacker to use the TRACE HTTP method in the Apache Web server to conduct cross-site scripting attacks through certain web client software.
  • Apache Portable Runtime — Multiple integer overflows in Apache Portable Runtime (apr) may lead to an unexpected application termination or arbitrary code execution.
  • ATS — Multiple buffer overflows exist in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.
  • CoreGraphics — Multiple integer overflows in CoreGraphics’ handling of PDF files may result in a heap buffer overflow. Opening a maliciously crafted PDF file may lead to an unexpected application termination or
    arbitrary code execution.
  • CoreMedia — Memory corruption and heap buffer overflow issues exist in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution.
  • CUPS — An issue in CUPS may lead to cross-site scripting and HTTP response splitting. Accessing a maliciously crafted web page or URL may allow an attacker to access content available to the current local user via the CUPS web interface. This could include print system configuration and the titles of jobs that have been printed.
  • Dictionary –  A design issue in Dictionary allows maliciously crafted Javascript to write arbitrary data to arbitary locations on the user’s filesystem. This may allow another user on the local network to execute arbitrary code on the user’s system.
  • DirectoryService – A memory corruption issue exists in DirectoryService. This may allow a remote attacker to cause an unexpected application termination or arbitrary code execution. This update only affects
    systems configured as DirectoryService servers.
  • Disk Images — A heap buffer overflow exists in the handling of disk images containing FAT filesystems. Downloading a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution.
  • Dovecot — Multiple buffer overflows exist in dovecot-sieve. By implementing a maliciously crafted dovecot-sieve script, a local user may cause an unexpected application termination or arbitrary code
    execution with system privileges.
  • ImageIO –  A buffer underflow exists in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • Kernel – Multiple input validation issues exist in Kernel’s handling of task state segments. These may allow a local user to cause information disclosure, an unexpected system shutdown, or arbitrary code execution.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Apple Macintosh, Apple Mac OS X V10.6 Snow Leopard, Update, Mac OS X Server, Server, Issue, Arbitrary Code Execution, Impact, Adaptive Firewall Description, Application Termination, Apple Mac OS X, Apple Mac OS, Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
136
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Mac OS X mega patch covers 58 security vulnerabilities
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
Yikes, that sounds bad
NonZealot 9th Nov 2009
The majority of the flaws could allow a remote attacker to gain complete control of an unpatched system, meaning that this update carries an "extremely critical rating."

Makes me glad I run an alternate OS.
0 Votes
+ -
Heh
jeremychappell 9th Nov 2009
Makes me glad I've patched it wink

Seriously, I too run an "alternative OS" - but that recently became "toast"
after an upgrade (Ubuntu) though everything is well with that system
now (Phew!) It is useful to have a number of systems.

However, I'll admit a soft spot for my Mac... no it isn't especially young
(quite the contrary, it's the oldest Mac that'll run Snow Leopard) but it is
my favourite system to use (the Ubuntu box has a bigger display
though).
0 Votes
+ -
Dat sounds SWEET.
AdventTech67 9th Nov 2009
I still have and old G-3 (Yosemite) Blue&White running TIGER for my
Extremely old Backups. I still have them.

Snicker,SMIRK,,, ---let your imagination wonder???
0 Votes
+ -
Alternate OS
WarhavenSC 10th Nov 2009
Not using OS X doesn't necessarily make you immune to many of the vulnerabilities listed in the article.

There are also many non-Apple people out there (yes, including Windows users like you) who use Apache, CUPS, Java, LDAP, Dovecot, etc.

Since OS X relies on many 3rd party and open-source technologies in their operating system, Apple of course includes patches for them in their OS updates. Simply not using OS X doesn't necessarily render you immune if you're using the same software on another operating system.
0 Votes
+ -
Err...
jeremychappell 10th Nov 2009
I use Mac OS X. I also have a machine that isn't Mac OS X. Why do I do
this? Well I rely on computers to get me work done. So my first
computer is a Mac, this is a damn good start, I keep it patched and I
think before typing my account password. If I had to use just one
machine, this is what I'd use.

However, I use Linux (in various guises) for all kinds of "projects"
(Firewalls, VoIP PBXs, Database Servers) and so it makes sense (to me
at least) to have a "backup" machine, This is a system I built, and it
runs Ubuntu, cost wasn't an issue when this machine was put
together, and so this isn't a "shoestring" Linux box. Linux can make a
nice budget system (and I've built those) but I actually think Linux can
make sense even when cost isn't the number one priority.

OK I know you're wondering; Windows? Yeah, sometimes. I have
clients on that OS, and I do use it to support them. I don't choose it,
mostly because I looked after a very large Windows network for over a
decade and I'm just uninterested in it after such exposure. Somewhere
along the line I stopped enjoying it. I miss all the Unix commands
when they're not available.
0 Votes
+ -
Poor examples...
edwards.wb 10th Nov 2009
Windows users don't use Apache, Dovecot, or CUPS...

But I do get your point, though I don't think that there are many (if any) out there who think that Windows or *nix are without vulnerability, but I think that this kind of article is important for those out there who are ignorant enough to believe that OSX is completely secure and invulnerable.

I'm not really an OSX fan myself, I use Windows primarily, various Linux distros for specialized purposes. I know that OS X has its place in the market and is a good option for certain users, I just get tired of those certain users claiming that OS X is some sort of deity among operating systems; that Apple is some omnipotent, infallible entity.
0 Votes
+ -
Good grief
frabjous 10th Nov 2009
From the number of times the illogically named NonZealot troll is
the very first to respond to any article about Apple, it is clear
he/she doesn't run anything.

It was interesting that Mr. Naraine did not mention in his article
that this update included a number of security fixes already
issued--as is stated in the brief explanation that accompanied the
update. Of course, that would detract from the sensationalism...
0 Votes
+ -
Rumour has it...
914four 15th Nov 2009
...that he/she accesses this site via a Sun Ray stateless thin client that has no user settings and offers only a browser with zdnet as the homepage.
0 Votes
+ -
re: Yikes, that sounds bad
Gis Bun 10th Nov 2009
An "alternate OS". You mean Windows 7? happy
0 Votes
+ -
Good one, NZ
Tigertank 10th Nov 2009
Looks like you have 58 more reasons to live. wink
0 Votes
+ -
First Post...
An Apple a Day 10th Nov 2009
.....again? Hmmmmm......
0 Votes
+ -
473MB?!?!?!
ye 9th Nov 2009
How do dial up users get this update?
0 Votes
+ -
The Dial-Up Question
DannyO_0x98 9th Nov 2009
Let it run overnight. Which is what I did a few years back on dial-up
when it was time to download new ~600 MB ISOs for FreeBSD.

But, recent Macs have not included modems, so I think Apple believes
its customers are using WiFi and high speed connection.

A comment about size, Security Update 2009-06 is listed as being 143
MB, and this is what I installed on this Leopard machine. Since it is
Leopard, it is a universal binary. I see the Leopard Server version of
2009-06 is 330 MB.

The Snow Leopard update is undeniably large (and not universal), and
it also consists of more than security fixes. Some might argue that it
is Snow Leopard SP2 and let's say hello to it on day 74. Honeymaster,
in the even-handed way he approaches all matters Apple, asks if this
indicates a premature release of Snow Leopard. Yes. No. Maybe. No, I
take that back. Snow Leopard has been smoothing out faster than
Leopard did. That of course is said under advisement, as I've now had
10.6.2 installed for 3-4 hours and all I may really report is that it idles
nicely.

Did you see that they say they fixed that guest account bug? Woo-
hoo. Well, it hadn't bit me, but a fix is a fix.

Look, about these updates and security things, it is what it is.
Tomorrow we see the size of the Microsoft monthlies and I can
categorically state that I don't care about how big it is, I'm patching
what needs fixing over there.

Frankly, I don't know any operating system that would be pleasant to
use these days with a dial-up connection. You're usually on the side
of deflating hyperbole, dumb assertions, and hype. What happened?
Tough day at the office?
0 Votes
+ -
Er.... "Idles nicely...?"
Wolfie2K3 10th Nov 2009
That of course is said under advisement, as I've now had 10.6.2 installed for 3-4 hours and all I may really report is that it idles nicely.

Ok.. So come back and tell us all about how nice it is once you've put it to WORK...
0 Votes
+ -
The actual size of the patch..
msalzberg 9th Nov 2009
is 157.7MB. A lot smaller, but I'd still hate to download it via dial-up.
0 Votes
+ -
157.7MB here as well
oncall 9th Nov 2009
And I'm finishing the second of three Mac's. Where is this 400+MB coming from, a fresh install?
0 Votes
+ -
The larger file...
msalzberg 9th Nov 2009
is the combo update, the smaller is the standalone update. If you've
already updated to 10.6.1, your update file size is 157.7MB.
0 Votes
+ -
No, the actual size is 479MB
ye 10th Nov 2009
http://support.apple.com/kb/DL959

I see you're on a quest to ignore all fact but there it is.
0 Votes
+ -
On the ignoring facts thing, you're a past master of it
zkiwi 10th Nov 2009
If you weren't such a tosser you'd have been honest and reported what you would have read about the larger file size being a combo update, but if you're already at 10.6.1 then it's the smaller, but still large 157 MB.
0 Votes
+ -
What a lame response.
ye 10th Nov 2009
Attempt to pass of your buddies failings on me. I provided a link where anyone can go and find the details themselves. Hardly a sign of being dishonest. But hey...it's all you have so I'm not surprised you're using it.
0 Votes
+ -
Lame? That's you...
zkiwi Updated - 10th Nov 2009
You are the person who is pointing to the larger combo update, and ignoring the smaller and more likely update.
0 Votes
+ -
The size of the combo patch...
msalzberg 10th Nov 2009
is 479MB. That is the patch that updates you from 10.6 to 10.6.2. The
standalone patch is 157.7MB. That gets you from 10.6.1 to 10.6.2.
That's the size of the patch a computer running 10.6.1 will have using
Software Update.

Those are the facts.
0 Votes
+ -
Thank you for finally admintting it's 479MB.
ye 10th Nov 2009
The size of the combo patch is 479MB.

...

Those are the facts.

Sheesh, took you long enough and made you look a fool at the same time.
0 Votes
+ -
So will you admit...
msalzberg Updated - 10th Nov 2009
that the standalone is 157.7? Or will you continue to be a fool?

By the way, please note that I stated in a response above that there were
two different update files.
0 Votes
+ -
LOL! You would have a point if I ever denied...
ye 10th Nov 2009
...that there was a 157.7MB download. Have I? Not that I recall. Congratulations on building a strawman.
0 Votes
+ -
@ye, always picking a foolish fight.
msalzberg Updated - 10th Nov 2009
You stated over and over that the patch was 479MB. You didn't explicitly
deny the existence of the smaller patch; you completely ignored it,
thereby denying its existence implicitly. Anyone reading only your posts
would have no idea that using Software Update gives you a much smaller
file to download.

Will you admit that there's a 157.7MB version of the patch?
0 Votes
+ -
What a discussion
oncall Updated - 10th Nov 2009
LOL. Come on the patch is 157.7MB. That's the only information worth stating. Why? Because unless you fresh install or purchase a new Mac 473MB is a totally irrelevant number because you haven't been and probably are not going to update your Mac anyway. But if cumulative adds are your thing, we will look forward to the same inane posts when we hit 10.6.3 "700MB OMFG! Thank goodness I don't own a Mac, but feel the need to spout bile and start long discussion over something that is completely irrelevant to my existence."
0 Votes
+ -
@msalzberg: There is no such thing as a lie by omission.
ye 10th Nov 2009
You didn't explicitly deny the existence of the smaller patch; you completely ignored it,
thereby denying its existence implicitly.

Sorry no matter how much you need it to be true it is not.
0 Votes
+ -
@ye, except that people can lie by omission...
zkiwi 11th Nov 2009
So, stop lying about lying, ok?
0 Votes
+ -
@zkiwi: No, they cannot.
ye 11th Nov 2009
except that people can lie by omission

No matter how much you need it to be true, no matter how many times you repeat it, it will not be true.
0 Votes
+ -
@ye, People can and do lie by omission...
zkiwi 11th Nov 2009
And you know that to be true.

Propaganda does it all the time. I'm sure you've heard of propaganda, or not. Salespeople lie by omission too, as do politicians. And so do you, which has been demonstrated here.
0 Votes
+ -
Lying by omission is easy, I can do it too!
AzuMao 15th Nov 2009
Complete list of operating systems with GUIs;
Gentoo
Ubuntu
Red Hat
OSX
openSUSE
FreeBSD
OpenBSD
NetBSD




Oh look, no Windows on the list.. but according
to ye, this post isn't a lie.
0 Votes
+ -
What's dial up?? (NT)
Runningwithscissors 10th Nov 2009
NT
0 Votes
+ -
Sound effect?
Raid6 10th Nov 2009
I think dial up is a Hollywood sound effect, but don't quote me on that...
0 Votes
+ -
they don't
tech_farmer 10th Nov 2009
they get DSL. Nowdays dialup is about useless.
0 Votes
+ -
re: 473MB?!?!?!
Gis Bun 10th Nov 2009
Download it elsewhere, burn to CD or dump to a USB key.

This thing is bigger than just about any service pack for Windows and almost equals the install source files of Windows XP!
0 Votes
+ -
Yet it is smaller than....
Rick_K Updated - 11th Nov 2009
The Snow leopard update is 157.7 MB (actual,I have a screen shot, but
they won't let post it on here) while theVista SP 2 348.3 MB

http://www.microsoft.com/downloads/details.aspx?
FamilyID=a4dd31d5-f907-4406-9012-a5c3199ea2b3&displaylang=en

Now add the size of windows vista SP1, which is 434.5 MB

http://www.microsoft.com/downloads/details.aspx?
familyId=B0C7136D-5EBB-413B-89C9-
CB3D06D12674&displaylang=en

Which brings the total to 782.79!!! How long on dial up for that?

Now let's talk the other cash cow. Office

http://office.microsoft.com/en-us/downloads/FX101321101033.aspx
Look at the download times!!!
1. 2007 Office Service Pack 2 Download Now 5 hr 45 min
2. 2007 Office Service Pack 1 Download Now 8 hr 52 min
3. Office 2003 Service Pack 3 Download Now 4 hr 47 min

Even the update for office 2008 is larger at 349mb!

http://www.microsoft.com/mac/downloads.mspx?
pid=Mactopia_Office2008&fid=B84FE57D-DDDA-451E-9EAD-
69E10AEE7928#viewer

0 Votes
+ -
Sucks to be ye.
AzuMao 10th Nov 2009
Looks like you're going to have to stick with
Windows for all your dialup needs.. oh wait, the
combo updates
for Windows are just as ******* big. Oops. Looks
like you're screwed unless you switch to *nix, ye.
Or toss out the dial-up!
0 Votes
+ -
What sad is this Service Pack is smaller than this update.
ye 10th Nov 2009
And I'm in no denial that it is 434.5MB unlike many Mac fanboys.
0 Votes
+ -
Isn't the 473 only if you count all the other updates for this version of
AzuMao 10th Nov 2009
the OS, and thus, a fair comparison to Windows'
service packs?
0 Votes
+ -
Patch information
MACPCWTEVR 11th Nov 2009
Why are you still hanging on to this?! Yes, the combo patch is 434.5
MB. NO ONE IS ARGUING THAT!!!! What we are asking you to do is
acknowledge that the incremental patch, which will be primarily what
everyone who regularly uses software update will get, is less than half
of that. THIS IS A FACT!!! I DID IT MYSELF THE OTHER DAY!!! As others
have already stated, the only reason the combo update would be
needed is if they were doing a clean install of 10.6 and then updating
to 10.6.2. If you just want to go by full combo updates lets take a look
at XP or Vista and see how much a full update from a clean install
would be! Granted, those have been around longer than Snow
Leopard, but I'd be willing to compare them with Leopard or even
Tiger to see which one has the biggest download, and ultimately
afterward, which is most secure.
0 Votes
+ -
The same way they get Windows XP SP2 n/t
grail@... 10th Nov 2009
n/t
0 Votes
+ -
Really?!
MACPCWTEVR 11th Nov 2009
Who the heck still uses dial up? I know there are a few, I hope it's mostly
those in locations who can't get anything else. But for those who are
stuck in the past and refuse broadband just because "I've always used
dial up" (my mother in law), get with the program or stop complaining
about the bed you made by sticking with an obsolete technology.

Sorry about the rant folks. I just keep encountering this situation and the
person complaining hardly ever has a good excuse.
0 Votes
+ -
There is a potential positive spin on this
honeymonster Updated - 9th Nov 2009
Doesn't reinforce the "just works" or "superior
security because it is based on Unix" image of
OSX.

But there IS a positive twist on this. As far
is I could count, some 14 of the
vulnerabilities are actually credit: Apple.

Which could lend some credence to a theory that
Apple is investing in a concerted effort to get
their own house in order. Finally.

If that is so we should not expect patches of
this size to continue.

However, this IS a big one to follow so close
after the general release of a new OS version.
Especially considering this is the 2nd such
biggie, it begs the question:

Did Apple rush the release of Snow Leopard,
shortcutting quality control procedures and
thereby exposing their customers to risks?
0 Votes
+ -
I don't think so...
jeremychappell 9th Nov 2009
There is a similar patch released for Leopard (the non-snowy kind).
Actually I'm not sure the size of a patch is much of a measure. Many
would prefer few large patches, rather than lots of small patches (makes
testing less painful).
0 Votes
+ -
The answer to this question is: Yes.
Captiosus 10th Nov 2009
"Did Apple rush the release of Snow Leopard,
shortcutting quality control procedures and
thereby exposing their customers to risks?"

Simply put, the answer to this is "Yes".

Snow Leopard came out a full month earlier than it was supposed to. No word on why or how, it just "did".

And as soon as it did, massive exploits were found which Apple had to do a rush job to fix. I outright refused to use my Macbook until the initial patches were in place. These were exploits that were either known about or easily fixed, given that the updates were available within a week.

So they released a month early and with 3 weeks before the original release date they had patches already being delivered. Yes, I'd say it was released early at the risk of all Mac users, and Apple knew it.
0 Votes
+ -
The stream of patches seems quite constant
Earthling2 10th Nov 2009
Here is some old news:

2006:
Vulnerability statistics for Mac and Windows
http://blogs.zdnet.com/Ou/?p=165

2007:
Apple plugs eight more QuickTime holes
http://blogs.zdnet.com/security/?p=369

Mac users waiting months for 'critical' Java runtime update
http://blogs.zdnet.com/security/?p=469

Apple delivers hefty patch haul; Addresses Leopard flaws and Safari
http://blogs.zdnet.com/security/?p=757

Seems like the stream of bug fixes is quite constant.

Why do they put them there in the first place? happy
0 Votes
+ -
A Reasonable Question
Zonny 10th Nov 2009
While not germane to Apple's success story discussion, I keep wondering why the Macs are not suceptible to trojans, worms and other forms of malware.

We know there have been countless updates to the Mac OS and to Safari. So there must be vulnerbilities, which like Windows keep getting patched.

If one of the bad guys every writes the code to infect Macs, there will be a lot of unhappy Mac users. I do not wish this happens, but I do wonder when it will happen as the Mac gains more usage.
0 Votes
+ -
A question that people have been asking for years
Tigertank 10th Nov 2009
Considering the number of Apple haters out there, you would think that
some hacker would want the bragging rights to be the one that took
down the Mac community. Especially considering that, most Macs don't
have any virus protection at all. Yet I have yet to see that headline.
Interesting.
0 Votes
+ -
Same question I've been asking
Wintel BSOD 10th Nov 2009
Lot's of noise among the Redmond staff here, but little in actual exploits or Apple coded malware kits being released into the wild.

I'm sure the same old FUD reports will be trotted out by the M$ trolls soon. They get paid by the mouseclick.
0 Votes
+ -
RE: Mac OS X mega patch covers 58 security vulnerabilities
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix