Big Updates at the end of the Week
The end of last week saw some interesting security patches released by major software companies. Both Apple and Microsoft released or re-released patches for various issues that had been causing their users problems. Apple released a Safari patch to address the 'Carpet Bombing' problem that had previously been openly reported on, while Microsoft re-released MS08-030, the Bluetooth patch, which hadn't adequately protected Windows XP SP2 and SP3 systems against the described vulnerability.
Apple's update of Safari was welcome, but it was overshadowed by the public release of a critical privilege escalation bug (and ultimately arbitrary code execution flaw) that affects tiger (10.4) and Leopard (10.5), though to successfully exploit it requires an active local user account, and to have ARD (Apple Remote Desktop) disabled (enabling it perversely breaks the exploit). There are a range of workarounds, from enabling ARD, through to removing ARD and simply setting the following in the ARDAgent Info.plist
Ultimately, the ARD vulnerability is due to a SETUID problem, which is present in many other applications as well, but what makes this so problematic in this case is that it happily passes through user input to the shell, which is then parsed as the root user. It doesn't take much imagination to create a scenario where a malicious download uses this process to silently take over the system after the user is convinced to open a malicious download.
22 June 2008
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.