Apple Fixes Two Security Holes
Apple fixed two security gaps in the recent Mac OS X 10.3.4 release, and although they aren’t at the level of the URL scheme failure documented in our last issue and now addressed by Security Update 2004-06-07 (covered earlier in this issue), it’s worth mentioning a few details.
The first problem involved encrypted connections for AppleShare servers using the SSH (Secure Shell) protocol. These connections didn’t work in Mac OS X 10.3 through 10.3.2, and were implemented in 10.3.3 in a manner that could allow a man-in-the-middle attack to compromise a network and extract passwords (see "AppleShare Encryption Security Flaw Discovered" in TidBITS-719).
The fix warns users when they have set their AppleShare options to use SSH when an SSH connection is unavailable. While users still can’t manage SSH fingerprints and other methods of handling these kinds of secure connections, the small percentage of people relying on AppleShare over SSH are now in a better position to be alert to possible compromises.
In testing, I was unable to create an AppleShare-over-SSH session between two Mac OS X 10.3.4 systems over the Internet or on the same local network with SSH correctly enabled and with no firewalls in place. However, I could mount an AppleShare volume from a Mac OS X Server running 10.3.4 using SSH with no problem.
The other, unrelated, problem is a potential threat that could disrupt the Internet’s various backbone and high-level routers (see "Serious TCP Weakness Identified" in TidBITS-727). While it looks like that threat has not materialized yet due to diligence by the operators of that equipment, the same flaw is present in personal computers where it has much less risk of being exploited.
Apple notes in the security improvements description attached to 10.3.4 that the release "provides better handling of out-of-sequence TCP packets." This may or may not signify that they’ve mitigated this problem in Apple products – it’s unclear at this point.