Various Mac OS X Image Vulnerabilities
Previously, while discussing browser plugin vulnerabilities, I had taken a look specifically at QuickTime. As is shown in the article, it clearly deserved it's own topic as problems were cross-platform and numerous. However, there are many other image problems for Mac OS X specifically which I thought I would touch on today to highlight just how big of a potential exploit vector such formats are. I'm going to be pulling these out of various Apple security update documents for 2006 only (or the article would get way way too long). It's worrisome when so many flaws are found in Apple's imaging implementations at the same time as browser exploits are becoming so popular. As is well known, we Apple users currently seem to be being protected largely by our low market share.
Mac OS X v10.4.8 and Security Update 2006-006:
CVE-2006-4391 Bug in ImageIO related to malicious JPEG 2000 images.
CVE-2006-4395 Bug in QuickDraw Manager related to malicious PICT images.
(For this one I am just going to copy rather than summarize)
AppKit, ImageIO
CVE-ID: CVE-2006-3459, CVE-2006-3461, CVE-2006-3462, CVE-2006-3465
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted TIFF image may lead to an application crash or arbitrary code execution
Description: Buffer overflows were discovered in TIFF tag handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By carefully crafting a corrupt TIFF image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of TIFF images. Systems prior to Mac OS X v10.4 are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462). Credit to Tavis Ormandy, Google Security Team for reporting this issue.
CVE-2006-0392 A problem in Image RAW related to malicious Canon RAW images.
CVE-2006-3501 Bug in ImageIO related to malicious Radiance images.
CVE-2006-3502, CVE-2006-3503 2 bugs in ImageIO related to malicious GIF images.
CVE-2006-1469 Bug in ImageIO related to malicious TIFF images.
(Another direct copy)
AppKit, ImageIO
CVE-ID: CVE-2006-1982, CVE-2006-1983, CVE-2006-1984
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a maliciously-crafted GIF or TIFF image may lead to arbitrary code execution
Description: The handling of malformed GIF or TIFF image may lead to arbitrary code execution when parsing a maliciously-crafted image. This affects applications that use the ImageIO (Mac OS X v10.4 Tiger) or AppKit (Mac OS X v10.3 Panther) framework to read images. This update addresses the issue by performing additional validation of GIF and TIFF images.
CVE-2006-1552 Bug in ImageIO related to malicious JPEG images.
CVE-2006-1552, CVE-2006-1552 2 Bugs in QuickDraw related to malicious PICT images.
So, I think you can see the problem here with the recurrence of bugs in the same code. Apple is treating the symptoms instead of the problem, and thus keeps getting sick. For my own sake, and the sake of other Apple users, I hope Apple starts to "Get It" soon regarding good coding practices, auditing and entire piece of code when a vulnerability is found (not just the affected region), and preemptive fuzzing. Otherwise we could be in for more of the same for the foreseeable future.
