Saturday, January 06, 2007

On the so-called Month of Apple bugs

UPDATE: Updated through Day 12

By know you might have heard that two hackers, LMH and Kevin Finisterre, have a little project running called Month of Apple bugs. Here are the issues so far:
DayIssueOSes AffectedOS X Issue (Yes, No)
1 MOAB-01-01-2007: Apple Quicktime rtsp URL Handler Stack-based Buffer OverflowOS X
2 MOAB-02-01-2007: VLC Media Player udp:// Format String VulnerabilityOS X
3 MOAB-03-01-2007: Apple Quicktime HREFTrack Cross-Zone Scripting vulnerabilityWindowsNo
4 MOAB-04-01-2007: iLife iPhoto Photocast XML title Format String VulnerabilityOS XNo
5 MOAB-05-01-2007: Apple DiskManagement BOM Local Privilege Escalation VulnerabilityOS XYes
6 MOAB-06-01-2007: Multiple Vendor PDF Document Catalog Handling VulnerabilityOS X
7 MOAB-07-01-2007: OmniWeb Javascript alert() Format String VulnerabilityOS XNo
8 MOAB-08-01-2007: Application Enhancer (APE) Local Privilege EscalationOS XYes
9 MOAB-09-01-2007: Apple Finder DMG Volume Name Memory CorruptionOS XYes
10 MOAB-10-01-2007: Apple DMG UFS ffs_mountfs() Integer Overflow VulnerabilityOS X
11 MOAB-11-01-2007: Apple DMG UFS byte_swap_sbin() Integer Overflow VulnerabilityOS XYes
12 MOAB-12-01-2007: Apple DMG UFS ufs_lookup() Denial of Service VulnerabilityOS X

Issue Stats
  • 75% are Apple bugs
  • 42% are cross platform
  • 8% work on Windows only
  • 50% work on OS X only
  • 58% are OS X operating system bugs (Day 5,6,8,9,10,11,12)

Day 10+11+12 Comments
Integer overflows in the DMG UFS (Unix File System) mounting code, Day 10+12 are functions shared with FreeBSD 6.1, Day 11 in a function Apple needs to make the switch between big endian and little endian byte orders seamless. Day 12 presents no risk of code execution, it is purely a denial of service issue. As always, only open files from trusted sources. If you are using Safari, you should once and for all disable Open "safe" files after downloading to prevent any "drive-by" DMG download and opening issues like this:

Day 9 Comments
Seems like Day 9 is a variation on CVE-2006-6061. In short, don't download untrusted DMG files and uncheck the Safari option to "open "safe" files".

Day 7+8 Comments
The Day 7 vulnerability in OmniWeb 5.5.1 has already been addressed with a new release, 5.5.2. You can read the release notes here or download the update if you use this browser.

Day 8 has vendetta written all over it. Seems like the MOAB folks have been rebuffed by Landon Fuller when they offered to coordinate bug releases with bug fixes. I have to agree with Landon's decision not to coordinate with MOAB because I agree it's irresponsible to announce exploits with proof-of-concept code with no vendor warning. I say this is vendetta day because the MOAB bug of the day is reported as an exploit in Unsanity's Application Enhancer, which is the utility Landon Fuller has been using to patch the MOAB issues as they come in. Also, look at the stats, only 38% are OS X bugs. I am counting Day 8 as an OS X bug because there is at least a problem in the OS X permissions on /Library/Frameworks

Day 6 Comments
At first I thought LMH was taking credit for this Adobe Acrobat flaw which appears more serious than originally thought, but I don't think that is the case. Looks like he has an entirely new flaw, but again this isn't an Apple OS X flaw, it's a flaw in one of the most popular file formats in use on the Web and it affects close to all OSes in use. Yes, Preview (the OS X PDF viewer and web plug-in) is affected and I have counted this as an OS X issue, but again this is not a uniquely Apple problem. Curiously, if you upgrade to Adobe Acrobat 8.0, neither the PDF cross-site scripting problem will affect you or this MOAB issue. If you load the sample bad .PDF from MOAB in Preview, you experience a denial of service for Safari and have to Force Quit it, but on a Core Duo, this is almost more an annoyance than an actual DOS. LMH doesn't say whether Preview could be remotely exploitable, but its probable with the wide variety of applications affected here that at least one instance could be exploited. For now though, this isn't critical.

Day 5 Comments
Finally. Day 5 is an actually OS X operating system vulnerability. LMH and Kevin Finisterre didn't discover this:
This issue is being actively exploited in-the-wild and we would like to thank an anonymous contributor for bringing the 0-day to our attention, taking advantage of this issue.
They say they did the exploit work. This issue can't be exploited without being combined with another issue, like the QuickTime RTSP Handler issue on Day 1, but MOAB claim it is being exploited in the wild making it a zero-day bug. Landon Fuller's post summarizes nicely the key points:
Today's Month of Apple Bugs issue permits a local admin account to gain root access, without any user interaction (ie, an authorization dialog), by exploiting a combination of vulnerable disk permissions and Disk Utility's repair permissions functionality.
You can prevent being exploited by this issue even by a remote exploit by running the following command:
sudo chmod -s /System/Library/PrivateFrameworks/DiskManagement.framework/Resources/DiskManagementTool
This may cause some issues if you have to run Disk Utility, run the opposite command before running Disk Utility, or when Apple releases a patch:
sudo chmod +s /System/Library/PrivateFrameworks/DiskManagement.framework/Resources/DiskManagementTool
What issue would LMH and Kevin Finisterre have had for us today if they hadn't received the anonymous tip on this issue?

Also, the WebKit folks (the open source components of Safari) have created Bug 12107: Security Regression: Plugins load remote javascript in embedded page's context for the QuickTime XSS issue (Day 3). What's interesting is that FireFox on OS X, IE 6, Opera 9.10 on OS X, and a few others (read through the comments in the bug) all show the JavaScript alert that is the payload of this Landon Fuller Test, but I don't see it! The comments on the bug suggest it may have to do with 3rd party QuickTime components changing the way handlers are resolved, so you might have to remove them for the exploit to be run by the QuickTime Plugin. Day 4 Comments
VLC, the day 2 vulnerability, has published an advisory and the issue has been fixed. Download for Windows here, OS X here.
The iPhoto Day 4 vulnerability is more interesting to me than the previous 3 because it's the first that is OS X only. Either way, check the MOAB Google Group Landon Fuller created which has the fix contributed by one of the group members, William A. Carrel

Day 3 Comments
InMuscatine has an amusing take on today's "issue". Let's review. This Quicktime bug only affects Windows users as Landon Fuller says, OS X 10.4.8 is not vulnerable to this attack

Day 2 Comments
First, Landon Fuller is posting patches to each issue as it comes in. So if you can't or don't want to wait for vendor fixes, then you can use these. VLC has already patched the holes in source, now we wait until the app actually gets released.

Second, of the bugs released so far, 50% are actually Apple bugs, and 100% are cross platform and affect Windows as well. I was expecting ACTUAL OS X ONLY bugs, not application bugs that also work on OS X. It's early in the month. I can imagine these attention whores holding out on their big gun bugs until Macworld (1/9/2007), these are probably just the warm-up, and they do appear serious, but on day 2 to announce a cross platform application bug and say this is an "Apple bug" seems desperate to me.

What is annoying is some of the media coverage. eWeek's Security Week titles their articles "VLC Media Player Bug Bites at Apple" which is, I believe intentionally misleading since this is at least a Windows and OS X issue. Here is the comment I posted:
So this is a bug in a cross platform application that affects at least both OS X and Windows, so how does this just bite Apple? The headline is misleading, as I suspect you know. This is no different than a bug in Firefox, or the previous one in Quicktime, or Skype, Word, Excel, the list goes on. Also, does the version of OS X mater? Does the version of Windows?

Surprisingly, CNET's article about day 1 called "QuickTime zero-day bug threatens Macs, PCs" is a more fair and accurate report. I will most likely keep this updated over the month.