Apple Mac OS X has insecure file permissions
| macos-insecure-file-permissions (13537) |  Medium Risk |
Description:
Apple Mac OS X could allow a local attacker to gain privileges on the system, caused by a vulnerability when managing DMG files. DMG files are created with world writable permissions. This could allow a local attacker to overwrite and delete sensitive files and directories on the system and gain elevated privileges.
Consequences:
File Manipulation
Remedy:
Upgrade to the latest version of Mac OS X (10.3 or later), available from the Apple Computer, Inc. Web site. See References.
References:
- @stake, Inc. Security Advisory a102803-1: Mac OS X Systemic Insecure File Permissions.
- Apple Computer, Inc. Web site: Apple - Mac OS X.
- BID-8916: Apple Mac OS X Insecure File Permissions Vulnerabilities
- BID-8917: Apple Mac OS X Multiple Vulnerabilities
- CVE-2003-0876: Finder in Mac OS X 10.2.8 and earlier sets global read/write/execute permissions on directories when they are dragged (copied) from a mounted volume such as a disk image (DMG), which could cause the directories to have less restrictive permissions than intended.
Platforms Affected:
- Apple Mac OS X 10.0
- Apple Mac OS X 10.0.4
- Apple Mac OS X 10.1
- Apple Mac OS X 10.1.1
- Apple Mac OS X 10.1.2
- Apple Mac OS X 10.1.3
- Apple Mac OS X 10.1.4
- Apple Mac OS X 10.1.5
- Apple Mac OS X 10.2
- Apple Mac OS X 10.2.1
- Apple Mac OS X 10.2.2
- Apple Mac OS X 10.2.3
- Apple Mac OS X 10.2.4
- Apple Mac OS X 10.2.5
- Apple Mac OS X 10.2.6
- Apple Mac OS X 10.2.7
- Apple Mac OS X 10.2.8
- Apple Mac OS X Server 10.0
- Apple Mac OS X Server 10.0.1
- Apple Mac OS X Server 10.0.2
- Apple Mac OS X Server 10.0.3
- Apple Mac OS X Server 10.2
- Apple Mac OS X Server 10.2.1
- Apple Mac OS X Server 10.2.2
- Apple Mac OS X Server 10.2.3
- Apple Mac OS X Server 10.2.4
- Apple Mac OS X Server 10.2.5
- Apple Mac OS X Server 10.2.6
- Apple Mac OS X Server 10.2.7
- Apple Mac OS X Server 10.2.8
Reported:
Oct 28, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net