[ISN] Darwin flaws survive in Apple's Mac OS X

InfoSec News isn at c4i.org
Wed Jan 19 02:55:30 EST 2005


By Robert Lemos 
Staff Writer, CNET News.com
January 18, 2005

A source-code audit of the open-source operating system from which
Apple Computer borrowed much of the code for Mac OS X revealed four
vulnerabilities of varying severity in Apple's software, a security
company said Monday.

The flaws in Darwin affect Mac OS X version 10.3--dubbed Panther--and
are caused by memory errors in the kernel, according to an advisory
released by ImmunitySec, the security company that found the flaws.

"In terms of criticalness, this kind of bug mostly affects remote
systems with multiple users," said David Aitel, founder and security
consultant with ImmunitySec, adding that since Mac OS X is most often
used on the desktop, the flaws will not be overly important on most
people's systems.

The company originally found the flaws in June and published them to
a private list of customers but did not notify Apple. It published the
flaws on Monday, after presenting them at a seminar.

Apple confirmed that it had not been told of the flaws and said it was
analyzing the vulnerabilities but would not elaborate.

ImmunitySec found the flaws by analyzing the publicly available source
code of the Darwin operating system, which implements a variant of
Unix known as BSD. Darwin forms the core of Apple's modern Mac OS X
operating system, and the flaws found by the security company also
affected Apple's operating system.

The flaws include a bug in Mac OS X's SearchFS function, several
kernel memory overflows and a logic bug in the AT command, which is
used to schedule tasks by the operating system.

More information about the ISN mailing list