Start your patching, MoAB hit the jackpot for Apple's security team.
Watchguard Livesecurity said:Huge Security Update Fixes Thirty OS X Flaws
Severity: High
13 March, 2007
Summary:
Today, Apple released a security update fixing thirty security issues in software packages that ship as part of OS X, including Disk Images, Networking, and ImageIO. An attacker exploiting the worst of these security issues could execute code on your Mac, possibly gaining full control of your computer. If you manage OS X 10.3.9 or 10.4.8 machines, you should download, test, and install the appropriate Apple security update as soon as possible.
Exposure:
Apple's latest security update corrects vulnerabilities affecting software packages that ship with OS X 10.3.9 and 10.4.8. Many of these vulnerabilities allow attackers to execute any code they choose on your OS X machines, so we rate this update Critical. You should apply it as soon as you can. Some of the fixed vulnerabilities include:
Three code execution vulnerabilities in Disk Images. OS X ships with Disk Images components used to handle disk image (.DMG) files. Disk image files are special, compressed files that vendors often use to package software applications for you to download. For instance, if you've downloaded the latest version of Skype for OS X, you received a .DMG file. According to Apple, Disk Images suffers from three vulnerabilities involving the way it handles intentionally malformed .DMG files. By enticing one of your users into downloading and mounting a malicious disk image, an attacker could exploit any of these three flaws to execute code on that user's computer, with that user's privileges. Kevin Finisterre and his research partners originally disclosed some of these Disk Images vulnerabilities early in January, during their Month of Apple Bugs (MoAB). They also released public Proof-of-Concept (PoC) code that could allow an attacker to easily exploit some of these issues. With exploit code available in the wild, we recommend you patch immediately.
Buffer overflow in Color Sync. ColorSync is OS X's color management component. ColorSync suffers from a stack buffer overflow flaw involving the way it handles images with embedded ColorSync Profiles. By tricking one of your users into downloading and opening a specially crafted image, an attacker could exploit this flaw to execute code on that user's computer with that user's privileges. The attacker could then exploit other local vulnerabilities described in Apple's alert to gain complete control of that user's Mac.
Two code execution vulnerabilities in ImageIO. ImageIO is a software component that OS X uses to display image files. Apple's alert warns that ImageIO suffers from two vulnerabilities related to its handling of maliciously crafted GIF (.gif) and RAW images. If an attacker can trick you into viewing a booby-trapped GIF or RAW image (perhaps from a Web page), he can exploit this flaw to execute attack code on your computer, potentially gaining control of it.
Apple's alert includes 24 more flaws, including many more code execution flaws, like the ones described above. The remaining vulnerabilities also include Denial of Service (DoS) flaws, a few elevation of privilege flaws, and even a Cross-Site Scripting (XSS) flaw, plus others. The other components that this security update patches include:
CoreGraphics
CrashReporter
CUPS
DS Plug-ins
Flash Player
GNU TAR
HFS
HID Family
Kernel
MySQL Server
Networking
OpenSSH
Printing
QuickDraw Manager
servermgrd
SMB File Server
Software Update
sudo
Weblog
Refer to Apple's alert for more details.
Many of the flaws this update fixes originated from the Month of Apple Bugs (MoAB) and the Month of Kernel Bugs (MoKB). The MOAB and MOKB teams released many PoC exploits for the flaws described in Apple's alert. A motivated attacker could easily modify these PoC exploits and combine them in an attack that could yield the attacker full control of your OS X machines. Patch your OS X machines as soon as you can.
In a separate bulletin, Apple also fixed a security flaw in iPhoto 6.0.6. The flaw allowed an attacker to exploit a weakness in the "photocast" feature of iPhoto. If a user opens a maliciously crafted photocast, the attacker might be able to execute attack code. For more details, see Apple's iPhoto bulletin. If you use iPhoto on your network, install the patch.
Solution Path:
Apple has released updates to fix these vulnerabilities for both OS X 10.3.9 and 10.4.8. Apple OS X administrators should download, test, and deploy the appropriate updates as soon as possible.
Security Update 2007-003 (10.3.9 Client)
Security Update 2007-003 (10.3.9 Server)
Mac OS X Server 10.4.9 Update (PPC)
Mac OS X 10.4.9 Combo Update (PPC)
Mac OS X 10.4.9 Combo Update (Intel)
Mac OS X 10.4.9 Update (Intel)
Mac OS X 10.4.9 Update (PPC)
Mac OS X Server 10.4.9 Update (Universal)
Mac OS X Server 10.4.9 Combo Update (Universal)
Mac OS X Server 10.4.9 Combo Update (PPC)
Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend you let OS X's Software Update utility automatically pick the correct update for you.
For All Users:
These flaws support diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). The most secure course of action is to install the updates.
Status:
Apple released updates to fix these issues.
References:
Apple's March OS X Advisory