off the Press - News & Commentary
Friday, 12/03/ 2004 by Tech-Edge E-zine
16 Serious OS X Holes!
Cupertino, CA. – This Thursday Apple quietly
released a huge OS X Update that patches 16 potentially serious vulnerabilities
in their Operating System, that Mac-Heads proudly point to as always
being perfect. If fact, a Macintosh online site owned by MacWorld called
MacCentral, so soft-peddled a SPIN on the release called “Apple
releases December Security Update”, you would think it was a couple
According to the Apple
advisory, the update patches flaws that could lead to security bypass,
spoofing, exposure of sensitive data, privilege escalation, DoS (denial
of service) attacks and unauthorized system access. The Research firm
Secunia has tagged the update as "highly critical" and absolutely
One-third of the
patches dealt directly with the open-source Apache Web server, which
put most users at risk of serious DoS replay attacks. The Mac OS X Server-specific
"mod_digest_apple," was necessary because of multiple corrections
to the reply problems already patched in Apache server versions 1.3.31
Apple also plugged
multiple holes in Apache and “mod_ssl” that could be exploited
by hackers to inject malicious characters into error log files, bypass
certain security restrictions, gain escalated privileges, gain unauthorized
access to other Web sites, cause a DoS condition, and potentially compromise
a vulnerable system.
The update also patches
another security issue in Apache that results in access to ".DS_Store"
files and files starting with ".ht" not completely blocked in
the security setup. Apple said the problem exists because its HFS+ file
system handles file access in a case-sensitive way, while the Apache configuration
blocks access in a case-sensitive way. Also corrected are integer overflows
and poor range checking in TIFF handling in Appkit. "Flaws in decoding
TIFF images could overwrite memory, cause arithmetic errors resulting
in a crash, or permit the execution of arbitrary code. This update corrects
the problems in the handling of TIFF images," the advisory said.
There are also patches that plug a buffer overflow in PostScript-to-PDF
conversion that could allow execution of arbitrary code and a separate
flaw in the QuickTime Streaming Server that could lead to DoS attacks.
Apple's Safari Web browser was also patched to secure users against URL-spoofing
attacks and misleading information about which Web site launched a pop-up
With so many major patches and fixes in this release, it makes one wonder
why Apple has held off so long to release this monstrous “point”
patch release for OS X? With all the bashing that Mac-centric sites like
MacCentral gives to Microsoft at every Windows patch release, perhaps
Apple was trying to sneak this by under the general PC publics line of
sight. In other words, face saving.