Analysis: Apple's security updates examined
Everyone likes free gifts from Apple, particularly free software updates. Better stuff for free —who could argue? Yet, when Apple released four software updates in the span of two weeks, from November 15 through November 29, coming on the heels of a large and largely undocumented Mac OS X update, it was enough to give anyone pause.
To shed some light on this recent round of updates, let’s take a look at Security Update 2005-009, the most significant and widely relevant one of the bunch.
Security Update 2005-009
You might have been even more confused about the November 29 release of Security Update 2005-009 than usual, at least if you run Mac OS X 10.3.9. For the first day of release, the links on Apple’s download page were broken and redirected your browser to, well, nothing. Software Update correctly presented and downloaded Security Update 2005-009 on Mac OS X 10.3.9 systems, but people who wanted to download it manually from a browser had to wait until the next day.
With that resolved, Apple’s ninth security update of 2005 was available in the four expected configurations: for Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4.3, and Mac OS X Server 10.4.3. The Tiger versions are 5MB and 6MB for regular and server versions, respectively; the Panther versions are 20MB and 33MB, respectively. They’re bigger because the Panther versions, unlike the Tiger versions, include fixes from earlier updates, including files we found in Security Updates 2005-008 and 2005-007. The Tiger versions do not include older fixes because they require Mac OS X 10.4.3, which was released on Halloween and includes Security Update 2005-008 and earlier fixes.
That, by the way, is not to say that Mac OS X 10.4.3 itself doesn’t include new security fixes not previously found in any security update. It does. The five documented security vulnerabilities closed in Mac OS X 10.4.3 are summarized the table below. Two of them involve misleading or delayed changes to group membership or file ownership, another concerns Keychain Access failing to obscure any displayed passwords when their keychain locks due to a timeout, and another prevents you from un-ignoring a pending Software Update unless a new, non-ignored update has arrived. (If all this wasn’t confusing enough, the vulnerability numbers now all start with “CVE” instead of “CAN” thanks to a renaming decision implemented on October 19.)
Security Fixes in Mac OS X 10.4.3
|Component||Issue||Vulnerability ID||10.4.2 client||10.4.2 Server|
|Finder||Displayed file and group ownership information may have little to do with actual ownership information||CVE-2005-2749||X||X|
|Software Update||Marking all available updates as “ignore” made Software Update quit instantly without giving a chance to reset the status of any previously ignored update||CVE-2005-2750||X||X|
|Keychain Access||If a keychain locks due to timeout while displaying a stored password in that keychain, the password remained visible instead of becoming obscured when the keychain locked||CVE-2005-2739||X||X|
|memberd||Dæmon that applies changes to group membership didn’t update Access Control Lists (ACLs) quickly enough, allowing users who had been deleted from groups to continue accessing group files||CVE-2005-2751||*||X|
|Mach kernel||Kernel interfaces might return data from “uninitialized” memory that had actually already been used and released by the kernel, potentially containing leftover sensitive data||CVE-2005-1126, CVE-2005-1406, CVE-2005-2752||X||X|
X = Fixed in this update; * = Affected component or feature was never in this version
The kernel vulnerability fixed in Mac OS X 10.4.3 deserves a moment of explanation. Programs request memory from the operating system to use for their own purposes, and they release it back to the OS when they’re done with it, so the OS may reuse it for other RAM requests. Most programs don’t erase the contents of memory before releasing it, though, because that takes time and is usually unnecessary. The OS doesn’t erase released memory for the same reason.
The kernel, however, should erase memory it releases. The kernel never wants to pass along uninitialized memory to callers, because the caller could then see some of what other kernel code had stored in that RAM—a file buffer, a password, a network packet, and so on. Suresec found two problems that could reveal kernel memory to callers in Mac OS X (or FreeBSD, or both), and the FreeBSD folks found the other one. Mac OS X 10.4.3 fixes all three, but Apple has not disclosed if Mac OS X 10.3.9 suffers from similar defects.
Security Update 2005-009 Fixes
|Component||Issue||Vulnerability ID||10.3.9||10.3.9 Server||10.4.3||10.4.3 Server|
|Apache 2||Update to version 2.0.55, fixing vulnerabilities including cross-site scripting problems with some intermediate servers||CVE-2005-2088||*||X||*||X|
|apache_mod_ssl||Configurations using SSLVerifyClient directive might allow bypassing required SSL client authentication||CVE-2005-2700||X||X||X||X|
|Core Foundation||Maliciously-crafted URL can overflow a buffer during parsing||CVE-2005-2757||*||*||X||X|
|Core Services||Update to Core Types bundle adds files with “.term” filename extension (Terminal files) to the “unsafe executable” list of downloaded files||N/A||*||*||X||X|
|curl||Using NLTM authentication with a malicious HTTP server can overflow a buffer and execute arbitrary code||CVE-2005-3185||*||*||X||X|
|man pages||Updated documentation for OpenSSH and PAM||N/A||#||#||X||X|
|ODBC Administrator||Internal iodbcadmintool program could allow executing arbitrary code with its root privileges||CVE-2005-3700||X||X||X||X|
|OpenSSL||Updated to v0.9.7i to prevent a downgrade to SSLv2 (from SSLv3 or TLS) when using compatibility options or failing to explicitly disable SSLv2||CVE-2005-2969||X||X||X||X|
|Password server||Potentially compromised credentials when creating an Open Directory master server could let unprivileged local users gain elevated server privileges||CVE-2005-3701||*||X||*||X|
|Quick Draw||Unspecified improvement in drawing “PICT” files||N/A||X||X||#||#|
|Safari||Long filenames suggested by servers for downloads can make Safari save files in an incorrect location, perhaps accessible to other users||CVE-2005-3702||X||X||X||X|
|Safari||Unspecified improvement of “credit card security code” handling||N/A||X||X||X||X|
|Server Migration||Removes unneeded privileges that the utility doesn’t need||N/A||?||?||?||?|
|sudo||Update to version 1.6.8p9 to prevent custom configurations from allowing unauthorized privilege escalation||CVE-2005-1993||X||X||X||X|
|syslog||Log messages with newline characters could simulate new messages for events that didn’t happen||CVE-2005-3704||*||*||X||X|
|Web Kit||Unspecified downloading of content can overflow a buffer and execute arbitrary code||CVE-2005-3705||X||X||X||X|
X = Fixed in this update; * = Affected component or feature was never in this version; # = bug was not in this version before this update; ? = unknown
Apple’s update notes contain a section marked “additional information” that describes changes that, for no disclosed reason, are included in a “Security Update” but that have no assigned vulnerability numbers. One of these is changing “Core Types to improve handling of Terminal files” for Mac OS X 10.4.3. That’s handled through an XML file found at
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System. As discussed before, this file contains the system’s idea of what file types, MIME types, and filename extensions represent safe and “dangerous” files to download. Security Update 2005-009 adds the filename extension
.termto the category of “unsafe executables.” When you download such a file in Safari or any other application that uses Core Types, you’ll be warned that it may contain executable code. (Safari says that it “contains an application.”) There is a way built into Tiger for you to modify Core Types and add your own types or override the system’s defaults, but Apple has still not documented it.
This “additional information” is disconcerting. For the past few years, Apple has been careful to only fix security problems in security updates. Non-security bugs wait for OS revisions, or separate installations like an AirPort Update or DVD Player Update. Changes like updating Core Types to warn you about Terminal files clearly count as security fixes, as apparently would updating Safari “to improve handling of credit card security codes.”
But if these are security issues, why didn’t Apple get CVE numbers for them and document them normally? What is security-related about improving the rendering of QuickDraw PICT files? If Security Updates start including regular bug fixes, a system that’s already somewhat confusing could become down-right impenetrable. That wouldn’t benefit Apple or its customers.
The magic of updates
OS X’s Software Update feature is supposed to make it easier to manage your system, by alerting you of the updates you need, downloading them in the background if they’re marked as urgent, and installing them for you when you’re ready. Yet we know this is not happening, with Security Update 2005-009 and other updates too, because readers, friends, and family continue to tell us so. They just ignore what Software Update displays because they can’t figure out what the updates are supposed to do.
Apple never publicly committed to schedules for Mac OS X Updates or Security Updates, but in general, the former have arrived quarterly and the latter monthly. It’s a rule of thumb, not a law of nature—there have been nine security updates in 2005, and three Mac OS X 10.4 updates in the six months that it’s been available. But again, the intent helps people make sense of updates and feel confident in applying them. Security Updates come every four to six weeks and only address vulnerabilities that attackers could exploit. Mac OS X updates arrive every quarter or so, and fix both security and non-security bugs in the OS. Important updates in the interim come for targeted components, like AirPort Extreme or Java 2SE 5.0.
That’s easy, that’s predictable, that’s sensible—to the extent it holds together. It’s not good enough to get 80 percent of the way to the goal. Blowing off the last 20 percent leaves everyone puzzled about updates and makes the first 80 percent of the communications work largely irrelevant. That’s what’s happened this quarter.
Mac OS X 10.4.3 is no less documented than most Mac OS X updates, yet more information would have helped. After that, we got a Security Update that may have non-security fixes in it, a Java update with great developer release notes but almost no user explanations, a barely-documented AirPort Update with two different names (and one edition with two version numbers), a Broadband Tuner that’s not right for most people with broadband, and a firmware update that’s a year overdue.
It’s incredibly frustrating because Apple is so close to making updates work correctly. The rules aren’t complicated.
Apple’s update language screams, at top volume, “We don’t want to tell you too much about this update because we’re embarrassed about it.” This does a disservice to the majority of people that are reluctant to install mysterious updates on working systems. If each of Apple’s November updates had been clearly named, described, and presented, everyone would have known what to expect. And imagine how much time the world could spend on more fruitful pursuits if no one ever had to ask what an Apple update does.
[ Excerpted with permission from the December 10 issue of MWJ, published by MacJournals.com. Copyright 2005, GCSF Incorporated. For a free trial to MWJ, visit www.macjournals.com. ]