Analysis: Apple's security updates examined

Everyone likes free gifts from Apple, particularly free software updates. Better stuff for free —who could argue? Yet, when Apple released four software updates in the span of two weeks, from November 15 through November 29, coming on the heels of a large and largely undocumented Mac OS X update, it was enough to give anyone pause.

To shed some light on this recent round of updates, let’s take a look at Security Update 2005-009, the most significant and widely relevant one of the bunch.

Security Update 2005-009

You might have been even more confused about the November 29 release of Security Update 2005-009 than usual, at least if you run Mac OS X 10.3.9. For the first day of release, the links on Apple’s download page were broken and redirected your browser to, well, nothing. Software Update correctly presented and downloaded Security Update 2005-009 on Mac OS X 10.3.9 systems, but people who wanted to download it manually from a browser had to wait until the next day.

With that resolved, Apple’s ninth security update of 2005 was available in the four expected configurations: for Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4.3, and Mac OS X Server 10.4.3. The Tiger versions are 5MB and 6MB for regular and server versions, respectively; the Panther versions are 20MB and 33MB, respectively. They’re bigger because the Panther versions, unlike the Tiger versions, include fixes from earlier updates, including files we found in Security Updates 2005-008 and 2005-007. The Tiger versions do not include older fixes because they require Mac OS X 10.4.3, which was released on Halloween and includes Security Update 2005-008 and earlier fixes.

That, by the way, is not to say that Mac OS X 10.4.3 itself doesn’t include new security fixes not previously found in any security update. It does. The five documented security vulnerabilities closed in Mac OS X 10.4.3 are summarized the table below. Two of them involve misleading or delayed changes to group membership or file ownership, another concerns Keychain Access failing to obscure any displayed passwords when their keychain locks due to a timeout, and another prevents you from un-ignoring a pending Software Update unless a new, non-ignored update has arrived. (If all this wasn’t confusing enough, the vulnerability numbers now all start with “CVE” instead of “CAN” thanks to a renaming decision implemented on October 19.)

Security Fixes in Mac OS X 10.4.3

Component Issue Vulnerability ID 10.4.2 client 10.4.2 Server
Finder Displayed file and group ownership information may have little to do with actual ownership information CVE-2005-2749 X X
Software Update Marking all available updates as “ignore” made Software Update quit instantly without giving a chance to reset the status of any previously ignored update CVE-2005-2750 X X
Keychain Access If a keychain locks due to timeout while displaying a stored password in that keychain, the password remained visible instead of becoming obscured when the keychain locked CVE-2005-2739 X X
memberd Dæmon that applies changes to group membership didn’t update Access Control Lists (ACLs) quickly enough, allowing users who had been deleted from groups to continue accessing group files CVE-2005-2751 * X
Mach kernel Kernel interfaces might return data from “uninitialized” memory that had actually already been used and released by the kernel, potentially containing leftover sensitive data CVE-2005-1126, CVE-2005-1406, CVE-2005-2752 X X

X = Fixed in this update; * = Affected component or feature was never in this version

The kernel vulnerability fixed in Mac OS X 10.4.3 deserves a moment of explanation. Programs request memory from the operating system to use for their own purposes, and they release it back to the OS when they’re done with it, so the OS may reuse it for other RAM requests. Most programs don’t erase the contents of memory before releasing it, though, because that takes time and is usually unnecessary. The OS doesn’t erase released memory for the same reason.

The kernel, however, should erase memory it releases. The kernel never wants to pass along uninitialized memory to callers, because the caller could then see some of what other kernel code had stored in that RAM—a file buffer, a password, a network packet, and so on. Suresec found two problems that could reveal kernel memory to callers in Mac OS X (or FreeBSD, or both), and the FreeBSD folks found the other one. Mac OS X 10.4.3 fixes all three, but Apple has not disclosed if Mac OS X 10.3.9 suffers from similar defects.

Security Update 2005-009 adds more fixes to that baseline. They’re summarized below, with additional columns for the four separate versions of the update. As you can see in the table, many of the errors are the common and easy-to-fix buffer overflow problems we’ve discussed in MWJ 2005.08.20 . Other typical errors are in parsing, such as the Safari bug that makes the browser download files with “very long” filenames into an unpredictably wrong directory, or the regular expression engine in JavaScriptCore that can overflow buffers with a malicious expression.

Security Update 2005-009 Fixes

Component Issue Vulnerability ID 10.3.9 10.3.9 Server 10.4.3 10.4.3 Server
Apache 2 Update to version 2.0.55, fixing vulnerabilities including cross-site scripting problems with some intermediate servers CVE-2005-2088 * X * X
apache_mod_ssl Configurations using SSLVerifyClient directive might allow bypassing required SSL client authentication CVE-2005-2700 X X X X
Core Foundation Maliciously-crafted URL can overflow a buffer during parsing CVE-2005-2757 * * X X
Core Services Update to Core Types bundle adds files with “.term” filename extension (Terminal files) to the “unsafe executable” list of downloaded files N/A * * X X
curl Using NLTM authentication with a malicious HTTP server can overflow a buffer and execute arbitrary code CVE-2005-3185 * * X X
man pages Updated documentation for OpenSSH and PAM N/A # # X X
ODBC Administrator Internal iodbcadmintool program could allow executing arbitrary code with its root privileges CVE-2005-3700 X X X X
OpenSSL Updated to v0.9.7i to prevent a downgrade to SSLv2 (from SSLv3 or TLS) when using compatibility options or failing to explicitly disable SSLv2 CVE-2005-2969 X X X X
Password server Potentially compromised credentials when creating an Open Directory master server could let unprivileged local users gain elevated server privileges CVE-2005-3701 * X * X
Quick Draw Unspecified improvement in drawing “PICT” files N/A X X # #
Safari Long filenames suggested by servers for downloads can make Safari save files in an incorrect location, perhaps accessible to other users CVE-2005-3702 X X X X
Safari Dialog boxes created by JavaScript code now display the name of the site whose code created the dialog CVE-2005-3703 X X X X
Safari Unspecified improvement of “credit card security code” handling N/A X X X X
Server Migration Removes unneeded privileges that the utility doesn’t need N/A ? ? ? ?
sudo Update to version 1.6.8p9 to prevent custom configurations from allowing unauthorized privilege escalation CVE-2005-1993 X X X X
syslog Log messages with newline characters could simulate new messages for events that didn’t happen CVE-2005-3704 * * X X
Web Kit PCRE engine for JavaScript has a potentially exploitable buffer overflow that could allow arbitrary code execution CVE-2005-2491 X X X X
Web Kit Unspecified downloading of content can overflow a buffer and execute arbitrary code CVE-2005-3705 X X X X

X = Fixed in this update; * = Affected component or feature was never in this version; # = bug was not in this version before this update; ? = unknown

Apple’s update notes contain a section marked “additional information” that describes changes that, for no disclosed reason, are included in a “Security Update” but that have no assigned vulnerability numbers. One of these is changing “Core Types to improve handling of Terminal files” for Mac OS X 10.4.3. That’s handled through an XML file found at

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System
. As discussed before, this file contains the system’s idea of what file types, MIME types, and filename extensions represent safe and “dangerous” files to download. Security Update 2005-009 adds the filename extension
.term
to the category of “unsafe executables.” When you download such a file in Safari or any other application that uses Core Types, you’ll be warned that it may contain executable code. (Safari says that it “contains an application.”) There is a way built into Tiger for you to modify Core Types and add your own types or override the system’s defaults, but Apple has still not documented it.

This “additional information” is disconcerting. For the past few years, Apple has been careful to only fix security problems in security updates. Non-security bugs wait for OS revisions, or separate installations like an AirPort Update or DVD Player Update. Changes like updating Core Types to warn you about Terminal files clearly count as security fixes, as apparently would updating Safari “to improve handling of credit card security codes.”

But if these are security issues, why didn’t Apple get CVE numbers for them and document them normally? What is security-related about improving the rendering of QuickDraw PICT files? If Security Updates start including regular bug fixes, a system that’s already somewhat confusing could become down-right impenetrable. That wouldn’t benefit Apple or its customers.

The magic of updates

OS X’s Software Update feature is supposed to make it easier to manage your system, by alerting you of the updates you need, downloading them in the background if they’re marked as urgent, and installing them for you when you’re ready. Yet we know this is not happening, with Security Update 2005-009 and other updates too, because readers, friends, and family continue to tell us so. They just ignore what Software Update displays because they can’t figure out what the updates are supposed to do.

Apple never publicly committed to schedules for Mac OS X Updates or Security Updates, but in general, the former have arrived quarterly and the latter monthly. It’s a rule of thumb, not a law of nature—there have been nine security updates in 2005, and three Mac OS X 10.4 updates in the six months that it’s been available. But again, the intent helps people make sense of updates and feel confident in applying them. Security Updates come every four to six weeks and only address vulnerabilities that attackers could exploit. Mac OS X updates arrive every quarter or so, and fix both security and non-security bugs in the OS. Important updates in the interim come for targeted components, like AirPort Extreme or Java 2SE 5.0.

That’s easy, that’s predictable, that’s sensible—to the extent it holds together. It’s not good enough to get 80 percent of the way to the goal. Blowing off the last 20 percent leaves everyone puzzled about updates and makes the first 80 percent of the communications work largely irrelevant. That’s what’s happened this quarter.

Mac OS X 10.4.3 is no less documented than most Mac OS X updates, yet more information would have helped. After that, we got a Security Update that may have non-security fixes in it, a Java update with great developer release notes but almost no user explanations, a barely-documented AirPort Update with two different names (and one edition with two version numbers), a Broadband Tuner that’s not right for most people with broadband, and a firmware update that’s a year overdue.

It’s incredibly frustrating because Apple is so close to making updates work correctly. The rules aren’t complicated.

  • Use the same name for multiple updates addressing the same issues, even if there are separate downloads for different OS versions.
  • Describe what every update provides without the worn-out euphemism “improves reliability,” unless you want to send the message that some updates are intended to decrease reliability. Instead, let’s assume they’re all supposed to “improve reliability” and stop pretending that using these words actually imparts any kind of information.
  • Give updates specific names that make their purpose clear—try “AirPort Extreme Update” instead of “AirPort Update” for software that only works with AirPort Extreme hardware, or “FiOS Tuner” instead of “Broadband Tuner” for software that’s intended only for FiOS connections.
  • For complex subsystems like Java, explain in clear English when you’re adding a new version and when you’re updating an existing version, and tell users—not just developers—what that means.
  • Don’t put items in Software Update only to initially present them unchecked. Software Update is supposed to tell users what they need on their systems. Including updates and then implying they’re not necessary is confusing. Updates for optional hardware like AirPort Extreme (on some models) or iPod support should be checked by default if that hardware is present. If the hardware is not present, the description should say at the top, in bold letters, “Install this if you may add [the optional hardware] to this system.”
  • Apple’s update language screams, at top volume, “We don’t want to tell you too much about this update because we’re embarrassed about it.” This does a disservice to the majority of people that are reluctant to install mysterious updates on working systems. If each of Apple’s November updates had been clearly named, described, and presented, everyone would have known what to expect. And imagine how much time the world could spend on more fruitful pursuits if no one ever had to ask what an Apple update does.

    [ Excerpted with permission from the December 10 issue of MWJ, published by MacJournals.com. Copyright 2005, GCSF Incorporated. For a free trial to MWJ, visit www.macjournals.com. ]

    Subscribe to the Best of Macworld Newsletter

    Comments