Wednesday, March 19, 2008

Apple Megapatch Includes Long Lost Fixes

Via InformationWeek -

In one swing, Apple unleashes a tally of security updates that nearly surpasses all of the patches it released last year.

In Security Update 2008-002, Apple is fixing 87 security flaws that span 30 separate applications, a number of functions in OS X, as well as other platforms that range from Apache to X11.

This service pack-sized patch follows on the heels of an update to both the Windows and Mac versions of its Safari browser, with fixes for more than a dozen vulnerabilities.

The flaws in question create the usual software hazards, such as buffer overruns and the ability to inject malicious code into an unpatched system.

One of the more interesting fixes involves a cross-realm authentication issue with AFP Server. In this flaw, attackers may be able to create unauthorized connections to the server.

I installed both the updated version of Safari, as well as the Security Update on both a MacBook Pro and a Mac Pro each running Leopard.

So far, so good.

The patches can be downloaded manually from Apple's download support page, or via software update.

----------------------------------

The funny part about Apple patches is that they commonly fix issues which have been known about and fixed in the open source world for quite sometime. Sure, OS X isn't perfect and it will have flaws. Windows has flaws as well...but there is a key difference.

Apple patches fix issues which are already fixed in the open source world....sometimes patched years before Apple got around to patching them.

Lets look at two of the oldest CVEs noted in the latest Apple patch:

CVE-2005-3352 - Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.

When was CVE-2005-33352 patched by other vendors?

Redhat issued a patch for this issue on Jan 5th, 2006.

IBM issued a patch for their IHS on June 13th, 2006.

So Apple is about 2 years behind other vendors that use open-source products at their core.

CVE-2006-3334 - Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to "chunk error processing," possibly involving the "chunk_name"

This vulnerabilities was patched in libpng 1.2.12 (released on Jun 27th, 2006).

So I think the real question should be....why does it take Apple almost 2 years to release patches for publicly known vulnerabilities?

These aren't some privately reported closed-source flaws...these are vulnerabilities which are known to the world....complete with patched open-source for anyone to RCE.

Apple should be glad there isn't a financial market for global exploitation of Macs....because at this point, I don't believe Apple has a true handle on backporting open source patches into their product line.

What if they were under direct attack from international crime groups?

Remember, I only looked at the oldest of near 90 vulnerabilities....

No comments:

Post a Comment