M1.1 Description

Mac OS X is Apple's BSD-based operating system for its line of PowerPC- and Intel-based computers.

For more information on Mac OS X, see: http://www.apple.com/macosx

Mac OS X is made up of many different components. Each of these components could potentially have security flaws. The majority of the critical flaws discovered in the past year fall into six different categories:

• Safari - Apple's Safari web browser is the default web browser in recent versions of Mac OS X. Vulnerabilities in this application could potentially result in complete control of a user's browser or login session.


• ImageIO - The core image-handling framework used by the system and most applications. Vulnerabilities in this framework could potentially affect many different applications. Image files are generally considered "safe" files by various applications, and are opened without prompting by default.


• Unix - Mac OS X is based on and incorporates large amounts of code from earlier Unix-like operating systems. Many applications written for various Unix and Unix-like operating systems run on Mac OS X and some of these applications are shipped as part of the operating system by Apple. Flaws in these applications may be patched for Mac OS X considerably later than for the upstream vendor.


• Wireless - Reports of a critical vulnerability in Mac OS X's wireless network subsystem that allow physically-proximate attackers to gain complete control of a vulnerable system were met with surprise by many in the security community. The nature of the flaw allowed attackers to attack systems even if that system was not part of the same logical network as the attacker. Additional flaws were discovered in the Bluetooth wireless interface subsystem, with similar results.


• Virus/Trojan - The first viruses and trojans for the Mac OS X platform were discovered in the past year.


• Other - The remaining vulnerabilities do not fit in a well-defined category.

Note that Apple normally distributes patches and updates as comprehensive updates; a given Security Update will include both low-severity and critical updates.

M1.2 CVE Entries

Safari Vulnerabilities (includes zero-days)
HTML Rendering Vulnerabilities - CVE-2005-3705, CVE-2006-1987, CVE-2006-3505, CVE-2006-3946
Security Bypass Vulnerabilities - CVE-2005-2516, CVE-2006-0399, CVE-2006-0397, CVE-2006-0398.

ImageIO Vulnerabilities
Image Format Vulnerabilities - CVE-2006-1469, CVE-2006-1982, CVE-2005-2747

3rdParty Products' Vulnerabilities
Inherited Vulnerabilities - CVE-2006-0384

Wireless Driver Vulnerabilities
WiFi Driver Vulnerabilities - CVE-2006-3509, CVE-2006-3508, CVE-2006-3507

Viruses and Trojans
Viruses and Trojans - OSX/Leap-A trojan.

Other Vulnerabilities
CVE-2006-3498, CVE-2006-1450, CVE-2006-1449, CVE-2006-0848, CVE-2005-2518, CVE-2006-4394