|Page (1) of 1 - 11/30/05||email article||print page|
Apple Releases Security Update for Mac OS XPotential vulnerabilities addressed
In particular, several of the component updates address issues that could conceivably lead to arbitrary code execution, elevation of user privileges and bypassing of SSL client authentication. The update also includes some minor functional enhancements, such as improved handling of credit card security codes, improved handling of Terminal files, improved rendering of PICT files (in Mac OS X 10.3.9) and documentation for OpenSSH and PAM.
Potential arbitrary code execution addressed
In the area of potential arbitrary code execution, the update targets CoreFoundation (used by Safari and other applications), which may have allowed "maliciously crafted" URLs to trigger a heap buffer overflow, which could also lead to crashes. The update now performs an additional URL validation to prevent this problem.
Similarly, it was previously possible for the use of curl, in conjunction with NTLM authentication, to enable long domain or user names that could lead to a stack buffer overflow, which could result in code execution. (Curl is a technology used for client-side URL transfers.) The update performs additional validation when using NTLM authentication.
Safari has also been updated to address potential code execution problems. (See below.)
Safari gets several fixes
There are several other preventative fixes included in the latest Security Update for the system and other components. These include:
- Apache 2 Web server: Updated to version 2.0.55 to prevent potential problems with Apache used in conjunction with certain proxy servers, which could have allowed attackers to bypass protections with certain HTTP headers.
- apache_mod_ssl: Updated to prevent the bypassing of SSL client authentication in certain configurations.
- iodbcadmintool: Fixes a vulnerability that could have allowed local users to elevate their privileges and execute code.
- OpenSSL: Fixes a problem that could have made certain applications vulnerable to a protocol downgrade attack.
- passwordserver: Updated to protect credentials in Open Directory master servers to prevent local users from gaining elevated privileges.
- sudo: Updates sudo to version 1.6.8p9 to help restrict users from gaining elevated privileges in certain custom configurations.
- syslog: Fixes a problem that could have allowed local users to forge system log server records.
The update also includes various other, more minor enhancements. Apple is recommending this Security Update (Security Update 2005-009 1.0) for all Mac OS X users. The update is free and available through Software Update. For more information, visit http://www.apple.com.
Related Keywords:apple security update, mac os x 10.3.4
Source:Digital Media Online. All Rights Reserved