News: Page (1) of 1 - 11/30/05 Email this story to a friend. email article Print this page (Article printing at MyDmn.com).print page facebook

Apple Releases Security Update for Mac OS X

Potential vulnerabilities addressed By Dave Nagel
Apple yesterday released a new Security Update for Mac OS X and Mac OS X Server 10.3.9 through 10.4.3. The latest release--the ninth of the year so far--targets a wide range of potential vulnerabilities found in the operating system, including Apache, curl, CoreFoundation and various other system components, as well as Apple's Web browser, Safari.

In particular, several of the component updates address issues that could conceivably lead to arbitrary code execution, elevation of user privileges and bypassing of SSL client authentication. The update also includes some minor functional enhancements, such as improved handling of credit card security codes, improved handling of Terminal files, improved rendering of PICT files (in Mac OS X 10.3.9) and documentation for OpenSSH and PAM.

Potential arbitrary code execution addressed
In the area of potential arbitrary code execution, the update targets CoreFoundation (used by Safari and other applications), which may have allowed "maliciously crafted" URLs to trigger a heap buffer overflow, which could also lead to crashes. The update now performs an additional URL validation to prevent this problem.

Similarly, it was previously possible for the use of curl, in conjunction with NTLM authentication, to enable long domain or user names that could lead to a stack buffer overflow, which could result in code execution. (Curl is a technology used for client-side URL transfers.) The update performs additional validation when using NTLM authentication.

Safari has also been updated to address potential code execution problems. (See below.)


Safari gets several fixes
Apple's Web browser, Safari, has also gained several security enhancements in the latest release. Two potentially severe problems could have allowed for the execution of code, including visiting malicious Web sites with WebKit-based applications (like Safari). This weakness could have allowed a heap overflow to be triggered by downloading certain content, which could have led to the execution of code. The update also offers an updated version of Safari's JavaScript engine to provide "more robust input validation," according to Apple, in order to prevent the possible execution of code through the processing of expressions.

Two other issues with Safari have also been addressed with the latest Security Update. In JavaScript dialogs, Safari now displays the the originating site name to prevent users from unintentionally providing information to the wrong site. It also now prevents the downloading of certain files to locations other than the user-specified download directory.

Other updates
There are several other preventative fixes included in the latest Security Update for the system and other components. These include:

  • Apache 2 Web server: Updated to version 2.0.55 to prevent potential problems with Apache used in conjunction with certain proxy servers, which could have allowed attackers to bypass protections with certain HTTP headers.
  • apache_mod_ssl: Updated to prevent the bypassing of SSL client authentication in certain configurations.
  • iodbcadmintool: Fixes a vulnerability that could have allowed local users to elevate their privileges and execute code.
  • OpenSSL: Fixes a problem that could have made certain applications vulnerable to a protocol downgrade attack.
  • passwordserver: Updated to protect credentials in Open Directory master servers to prevent local users from gaining elevated privileges.
  • sudo: Updates sudo to version 1.6.8p9 to help restrict users from gaining elevated privileges in certain custom configurations.
  • syslog: Fixes a problem that could have allowed local users to forge system log server records.

The update also includes various other, more minor enhancements. Apple is recommending this Security Update (Security Update 2005-009 1.0) for all Mac OS X users. The update is free and available through Software Update. For more information, visit http://www.apple.com.

Page: 1


Related Keywords:apple security update, mac os x 10.3.4

HOT THREADS on DMN Forums
Content-type: text/html  Rss  Add to Google Reader or
Homepage    Add to My AOL  Add to Excite MIX  Subscribe in
NewsGator Online 
Real-Time - what users are saying - Right Now!

Our Privacy Policy --- @ Copyright, 2015 Digital Media Online, All Rights Reserved