Six potential Mac OS X security flaws -- are they really flaws?
Six potential Mac OS X security flaws -- are they really flaws?
Last week Secunia reported on six potential security flaws in Mac OS X. All of the reported "flaws" are actually repeatable crashes -- but we've yet to determine if any cause the opportunity for exploitation.
One of the proof-of-concept files Ferris has posted to his Security Protocols blog -- labeled under the bug name "Apple OS X BOM ArchiveHelper .zip Heap Overflow" -- results in a crash of Safari when downloading a specially designed .zip file. The crash only occurs if the 'Open 'safe' files automatically option" is turned on in the General pane of System Preferences. If this option is turned on, the .zip file is automatically expanded when it is downloaded and causes the Safari crash.
In theory, any heap overflow has the potential to be a security flaw. When a heap overflow occurs, there can (potentially) be an opportunity to write arbitrary code to an unintended destination -- either overwriting data on your system or intentionally placing malicious code.
However, said heap overflow resulting in a crash must result in an opportunity to run malicious code -- and none of the exploits reported by Ferris are accompanied by any proof of malicious execution (though these demonstrations might be intentionally withheld.)
The crashes were submitted by Tom to Apple on 2/21/2006. There have been two security updates and one full incremental Mac OS X update since then -- none of which addressed any of these alleged issues.
It is interesting to note, however, that these are the type of crashes Apple routinely addresses in Mac OS X security updates.
Take for example this security hole closure in Mac OS X 10.4.5:
"CVE-ID: CVE-2006-0382
"Impact: A malicious local user can cause a system crash
"Description: A malicious local user may trigger a system crash by invoking an undocumented system call. This update addresses the issue by removing the system call from the kernel. Credit to David Goldsmith of Matasano for reporting this issue."
The fact that Apple has yet to address the crashes, as submitted by Ferris, either indicates that there is not a strong potential for malicious exploitation of these crashes, Apple hasn't deemed the threat as such, or (at least some of) the crashes are by intentional design and will not be addressed.
Feedback? Late-breakers@macfixit.com.
Previous coverage:
Resources