Apple on Monday issued a security update for Mac OS X v10.3.8 that fixes several issues with the operating system, including a vulnerability in the company’s Web browser, Safari. The update also addresses several other problems with the Mac OS X and Mac OS X Server.
Safari IDN vulnerability fixed
Of note in the latest update is the International Domain Names (IDN) vulnerability found in Safari. The update prevents look-alike characters from being used to spoof the URL displayed in the address field, SSL certificate or status bar, according to Apple.
Safari can display Unicode characters in URLs, allowing you to access foreign language websites using their native language. Exploiting the IDN vulnerability, look-alike characters could be used to make users believe that they are viewing a different site than what they actually are.
Apple explains that the Cyrillic letter “a” could be used in place of the Latin letter “a,” making it difficult for a user to tell if they are at a real Web site or a malicious imposter website that’s designed to look like the real one. These sites can be used to collect account numbers, passwords and other personal information.
The update provides a user-editable list of scripts that are allowed to be displayed natively in domain names. The default list does not include Latin look-alike scripts (Cherokee, Cyrillic, and Greek) that could be used to trick users into navigating to malicious sites.
You can edit the list of allowed scripts to specify exactly what scripts you want displayed, but Apple warns that adding Cherokee, Cyrillic and Greek will enable Safari to display all scripts, and will expose you to known IDN vulnerabilities.
Other included fixes
Safari wasn’t the only issue fixed in the latest Security Update — several others were addressed, as well. Two AFP Sever problems have been fixed: the first allowed a specially crafted packet can cause a Denial of Service against the AFP Server, due to an incorrect memory reference. The second AFP issue fixes the checking of file permissions for access to Drop Boxes, preventing them from being discovered.
An issue with the Bluetooth Setup Assistant has been fixed, which allowed it to be launched on systems without a keyboard or a preconfigured Bluetooth input device. In these cases, access to certain privileged functions has been disabled within the Bluetooth Setup Assistant.
A buffer overflow problem in the Core Foundation has been addressed, which could be used to execute arbitrary code. Several vulnerabilities in Cyrus IMAP, including remotely exploitable denial of service and buffer overflows have also been fixed.
Multiple vulnerabilities in Cyrus SASL, including remote denial of service and possible remote code execution in applications that use this library, as well as a directory traversal issue in Mailman that could allow access to arbitrary files have been addressed, as well.