HomeDeveloper

Apple Issues Patch for Mac OS X

Ryan Naraine
By Ryan Naraine

Apple Computer has rolled out a major security update to plug several vulnerabilities in its flagship Mac OS X server and client versions.

The patch, which is being described as “highly critical,” addresses security issues with the AFP Server, CoreFoundation and IPSec and also integrates a previously issued patch which contained bugs, Apple said.

The latest flaws, discovered by researchers at @Stake, could lead to system hijack, security bypass, manipulation of data, privilege escalation, denial-of-service attacks and system access.

The most serious flaw was found with AppleFileServer and can be exploited to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the password handling and could allow attackers to cause a buffer overflow by passing an AFP “LoginExt” packet with a string in the “PathName” field.

“Successful exploitation allows execution of arbitrary code with ‘root’ privileges,” according to a separate warning issued by independent research firm Secunia.

Secunia said it tagged the flaw as “highly critical” because Apple’s advisory was vague and that the “unspecified issues are likely to be more severe than claimed by the vendor.”

“This conclusion is based on the fact that Apple merely describes vulnerability 3 as an attempt to “improve the handling of long passwords”. However, according to @stake, the vulnerability can in fact be exploited to compromise a vulnerable system,” Secunia explained.

The patch also addresses some older known vulnerabilities in Apache 2 which can be exploited by malicious attackers to inject malicious code into log files and cause a denial-of-service condition.

A fix was also issued for two vulnerabilities in the IPSec implementation that could lead to MitM attacks (man-in-the-middle), establish unauthorized connections, or cause a DoS.

Apple also confirmed the existence of an unspecified vulnerability within the CoreFoundation when
handling environment variables. This may potentially be a privilege escalation vulnerability. Another flaw in RAdmin when handling large requests was also pinpointed. Secunia warned that this issue could
potentially lead to system compromise problems.

Apple has posted download
links for the appropriate security update on its Web site. The full
@Stake advisory is availab
le here.

Ryan Naraine
Ryan Naraine
Previous article
HP, BT in $1.5B On-Demand Alliance
Next article
Transcend JetFlash WLAN

Similar Posts

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

Advertisers

Advertise with TechnologyAdvice on InternetNews and our other IT-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2024 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.