SECURE IT ALERT: Malicious Documents and Images Threaten OS X

Secure IT Alert Header

Homeland Secure IT Alert

Secure IT Alert #2 for Thursday, August 26 2010

More bad news for Mac owners. PLEASE update your systems. We are seeing the number of Mac and *nix exploits ramp up at an alarming rate. Many people have found rootkits were installed on their systems for no telling how long before they were discovered.

The following information was provided courtesy of WatchGuard. Fantastic firewall devices at reasonable prices! If you should be interested, we are a partner with WatchGuard and offer their full line-up.


Malicious Documents and Images Threaten OS X

Severity: Medium

24 August, 2010


  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them:¬†Multiple vectors of attack, including enticing your users into downloading and viewing various documents or images
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer
  • What to do: OS X administrators should download, test and install Security Update 2010-005 as soon as possible, or let Apple’s Software updater do it for you.


Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes thirteen (number based on CVE-IDs) security issues in seven components that ship as part of OS X, including PHP, CoreGraphics, and ClamAV. Some of the fixed vulnerabilities include:

  • CoreGraphics Buffer Overflow Vulnerability.¬†CoreGraphics is an OS X component that helps output graphics to your display (or printer). CoreGraphics suffers from a heap buffer overflow vulnerability involving the way it handles PDF files. If an attacker can get a victim to view a specially crafted PDF document (perhaps hosted on a malicious web site), he could exploit this flaw to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges.
  • ATF Buffer Overflow Vulnerability. The Apple Type Service (ATS) helps OS X machines handle fonts. ATS suffers from a buffer overflow vulnerability having to do with the way it handles embedded fonts. By tricking one of your users into downloading and viewing a malicious document containing a specially crafted font, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges.¬†
  • Multiple PHP Vulnerabilities. PHP is a general-purpose scripting language primarily used to create dynamic web applications, which ships with OS X. Apple’s update fixes several vulnerabilities found in PHP 5.3.1. However, Apple only describes one of the PHP vulnerabilities in any detail. The vulnerability involves a buffer overflow flaw within one of PHP’s image handling function libraries. By enticing one of your OS X users into viewing a specially crafted PNG image (perhaps hosted on a malicious web site), an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes other vulnerabilities, including some Denial of Service (DoS) flaws, information disclosure issues, and a few more code executions flaws. Components patched by this security update include:

ATS CFNetwork
ClamAV CoreGraphics
libsecurity PHP

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

Solution Path:

Apple has released OS X Security Update 2010-004 and OS X 10.6.4 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.


Apple has released updates to fix this flaw.


This alert was researched and written by Corey Nachreiner, CISSP.

Did this alert help you? How could we improve it?
Let us know at

For past alerts, log into the LiveSecurity Archive.

Jargon defined in the LiveSecurity Online Glossary.

If you require assistance please call us at 864.990.4748 or email Рwe offer computer & network support to Greenville / Upstate, SC

Homeland Secure IT Alert Footer

Homeland Secure IT Alert

Leave a Reply

Your email address will not be published. Required fields are marked *