Latest Mac OS X security update addresses 26 vulnerabilities
With greater market share comes greater responsibility; and now the maker of the operating system that analysts believe put Apple back among the US' top five PC producers, finds itself busy addressing some very old-style security holes.
An issue with null pointer dereferencing is among 26 security holes addressed by Apple in its latest Mac OS X 10.5.5 update package, and the details of that little problem are being revealed just today. Usually programs that are terminated clean up after themselves, but if you can find a way to terminate a program cold, it leaves behind pointers to memory that can be abused by malicious users.
The latest case in point, according to reports from both Apple and the French security team FrSIRT this morning, involves the Mac's single most prominent program, Finder -- the user's principal tool for locating and managing files.
As Yuxuan Wang, a researcher with Chinese search engine provider Sogou, is credited with having discovered, a malicious user who gains access to the local network (albeit by other clandestine means) can conceivably terminate Finder in mid-process. If Finder happens to be looking for a remote disk volume during that time, it can leave a null memory pointer active -- or in programmers' terms, not dereferenced.
Typically, when a memory pointer points to "null," that's a meaningful thing. It means there's nothing there, and a routine can test for the null-ness of a pointer to determine what to do next. Unless and until Finder finds that remote disk, this particular pointer may remain null. And that's a problem, because if a malicious user knows the address of that pointer, he can potentially use that address to fill that space with arbitrary code. Or, in this less-than-worst-case scenario, he can simply cause the system to be destabilized for a denial-of-service attack.
Also among the 26 vulnerabilities addressed is one discovered by veteran researchers at Oak Ridge National Laboratory. It impacts the system kernel, and deals specifically with a different part of system cleanup.
Files being referenced in memory have "handles" that essentially include the entire dossier of what processes or accounts are being used to access the file, pointers to the file itself, and the credentials of the active user(s) of that file. In the Mac OS (among others), those handles are called vnodes. Oak Ridge researchers learned that, when some programs that utilize files are cleared from memory, they may leave some vnodes behind intact -- and along with them, copies of cached and validated credentials. If a malicious user knew where to look, she could commandeer an existing validation.
How old is this issue? With respect to computing systems in general and not just Macintosh, academia and laboratories have been concerned with the possibility of unauthorized processes hacking cached credentials since at least 1991, when a University of Michigan research team (PDF available here) first wrote a treatise describing how remote users could hijack their remote file systems.